FBI: Victims lost $5+ billion in email ‘impersonation’ scams in the past three years

Total loss caused by email ‘impersonation’ scams (business email compromise and email account compromise), a sophisticated scam targeting small and medium businesses working with foreign suppliers and businesses that regularly pay by wire transfer or individuals that perform wire transfer payments, have reached the $5 billion threshold between from October 2013 to December 2016, according to recent statistics provided by FBI.

In the aforementioned timeframe, reports show that email ‘impersonation’ scams made 40,203 victims globally, causing financial loss of more than $5.3 billion.

Federal authorities witnessed a 2,370% increase in identified exposed loss between January 2015 and December 2016. The scam has been reported in all 50 US states and other131 countries. Victim complaints filed with the Internet Crime Complaint Center and financial sources indicate fraudulent transfers have been sent to 103 countries.

The victims of the scam range from small businesses to large corporations. The victims deal in a wide variety of goods and services, indicating that no specific sector is targeted more than another. Attackers monitor and study their selected victims using social engineering techniques prior to initiating the scam. The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.), the Bureau says.

“Some individuals reported being a victim of various Scareware or Ransomware cyber intrusions immediately preceding a BEC incident”, FBI informs. “These intrusions can initially be facilitated through a phishing scam in which a victim receives an e-mail from a seemingly legitimate source that contains a malicious link. The victim clicks on the link, and it downloads malware, allowing the subject(s) unfettered access to the victim’s data, including passwords or financial account information.”

According to the Bureau, the scam is linked to other forms of fraud, including romance, lottery, employment, and rental scams. The victims of these scams are usually U.S. based and may be recruited as unwitting money mules. The mules receive the fraudulent funds in their personal accounts and are then directed by the subject to quickly transfer the funds to another bank account, usually outside the U.S., upon direction, mules may open bank accounts or shell corporations to further the fraud scheme.

Based on the financial data, Asian banks located in China and Hong Kong remain the primary destinations of fraudulent funds; however, financial institutions in the United Kingdom have also been identified as prominent destinations, according to federal reports.

Here is a short list of the FBI recommendations to avoid BEC scams:

Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts.
Be careful what you post to social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.
Be suspicious of requests for secrecy or pressure to take action quickly.
Consider additional IT and financial security procedures, including the implementation of a two-step verification process. For example:

Out-of-Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this two-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
Digital Signatures: Both entities on EACH side of a transaction should utilize digital signatures. This will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.

Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
Consider implementing two-factor authentication for corporate e-mail accounts. Two-factor authentication mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to log in: (1) something you know (a password) and (2) something you have (such as a dynamic PIN or code).
Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, a detection system for legitimate e-mail of abc_company.com would flag fraudulent e-mail from abc-company.com.
Register all company domains that are slightly different than the actual company domain.
Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
Confirm requests for transfers of funds. When using phone verification as part of two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
Know the habits of your customers, including the details of, reasons behind, and amount of payments.
Carefully scrutinize all e-mail requests for transfers of funds to determine if the requests are out of the ordinary.