www.scmagazine.com Open in urlscan Pro
2606:4700:20::681a:3d7  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Log inRegister
Topics
Industry
Events
Podcasts
Research
Recognition
Leadership


ADVERTISEMENT



Email security, Social engineering, Cybercrime
AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to EmailEmailShare to
LinkedInLinkedIn


BUSINESS EMAIL COMPROMISE SCAMS NETTED $43 BILLION IN LOSSES AS NEW VARIATIONS
EMERGE, FBI SAYS

Karen HoffmanMay 9, 2022
Losses from business email compromise scams increased 65% from 2016 to 2021,
according to the FBI. Pictured: Workers prepare a presentation of advanced email
at the CeBIT 2012 technology trade fair on March 5, 2012, in Hanover, Germany.
(Photo by Sean Gallup/Getty Images)

Long the bane of the financial industry, business email compromise (BEC) is
getting worse, as savvy cybercriminals find sly new avenues to make their
fraudulent requests appear believable.

BEC scams jumped a whopping 65% to a total of $43 billion in losses worldwide in
just five years, from 2016 to 2021, according to a public service announcement
and report released by the FBI late last week. The findings are based on data
and complaints from Internet Crime Complaint Center (IC3) data and complaints,
which IC3 has been compiling since October 2013. While virtually all forms of
cybercrime have risen in recent months, the advanced approaches and level of
loss from BEC concerns industry on-lookers.

“The latest report from the FBI on business email compromise is disturbing, but
not surprising,” said Gary McAlum, senior analyst for TAG Cyber. “BEC is just
another form of social engineering that has increasingly become more
sophisticated and profitable over time, quickly outpacing email security systems
and employee training programs.”

ADVERTISEMENT



As online thieves have leveled up, BEC scams have become the “costliest
cyberattacks,” according to the IC3’s research. More advanced scam artists are
using deep fake voice technology, web site-spoofing, fraudulent social media and
employee profiles to support their phishing emails and make them appear more
believable, according to Tari Schreider, strategic advisor for Aite Novarica.

“Fraudsters perpetrate BEC scams based on illusion ... that can be months in the
making to trick a company executive into believing the financial request to wire
money is legitimate,” Schreider said, adding that it typically begins with bad
actors infiltrating a company’s network and creating fake receivable accounts.

“Deep fakes can be used to synthetically create a voice impersonation of the
executive to confirm payment authorization,” Schreider said. “Next, fake but
very real-looking businesses can be created, including websites, LinkedIn
accounts, employee profiles, phone numbers. ... Once all the components of the
cyber-grift are in place, it is executed.”

IC3 also reported the percentage of cryptocurrency-based complaints and losses
increased significantly in 2021, with cybercriminals opting to request funds in
the form of cryptocurrency because these transactions can occur quickly and tend
to lack an audit trail. Cybercriminals have stolen cryptocurrency through both
direct transfers to a crypto-exchange or an indirect or “second hop” transfer to
an exchange, according to the IC3’s findings.

Many so-called cyber-grifters are pushing the boundaries of traditional BEC
schemes, which tend to target businesses and individuals in finance, payroll or
accounts payable who often respond to funds-transfer requests. The IC3 research
found that these scams often incorporate more social engineering, as well as
hijacking or mimicking legitimate business email accounts. The IC3 also noted
that bad actors might acquire employee PII or tax information to add realism to
their requests.

However, perhaps most troubling is that BEC seems to be flourishing largely
under the radar because it has been (and continues to be) so tough to pinpoint,
even after the fact. Although any phishing attack can do a great deal of harm,
“they are not all created equally,” according to Patrick Sweeney, global head of
Cloudflare Area 1 Security.

While BEC may not be splashed across mainstream news reports as frequently as
ransomware, “BEC attacks are very difficult to detect because they are not as
blatant as clicking on a suspicious link, nor do they usually have any payload
to identify,” Sweeney said.

“In fact, BECs utilize trust that you have already established with outside
institutions,” he concluded. “They create very low signals that don’t typically
rise to the top of a defender’s alert list, and tend to blend in with the usual
noise of corporate email traffic.”


Karen Hoffman


RELATED

Risk management

UNUSUAL LINKS LEVERAGED IN NOVEL PHISHING ATTACK

SC StaffMay 12, 2022

Attackers have been leveraging a novel phishing approach that involves the
creation of an unusual link with an "@" symbol in between, which browsers
identify as legitimate domains and therefore allows evasion of security systems,
according to Threatpost.

Cloud security

RESEARCHERS SPOOF ‘VANITY URL’ LINKS OF BOX, GOOGLE AND ZOOM

Steve ZurierMay 12, 2022

Varonis team shows how threat actors can use spoofed Vanity URLs to launch
varied attacks via Software-as-a-Service accounts.

Email security

FINANCIAL FIRMS NEED NEW TACTICS TO GET OUT OF THEIR ‘COMPROMISING’ POSITION

Karen HoffmanMay 11, 2022

Business email compromise (BEC) has often flown under the radar, creating an
increasingly healthy source of funds for fraudsters in recent years.


RELATED EVENTS

 * eSummit
   
   EMAIL EMERGENCY: STEERING CLEAR OF PHISHING AND BEC SCAMS
   
   
   
   Tue Jun 14 - Wed Jun 15
   
   

 * eSummit
   
   RANSOMWARE & DATA EXFILTRATION: A SURVIVAL GUIDE TO PREVENTION & RESPONSE
   
   
   
   On-Demand Event
   
   

ADVERTISEMENT



ADVERTISEMENT





--------------------------------------------------------------------------------

ABOUT US

SC MediaCyberRisk AllianceContact UsCareersPrivacy

GET INVOLVED

SubscribeContribute/SpeakAttend an eventJoin a peer groupPartner With Us

EXPLORE

Product reviewsResearchWhite papersWebcastsPodcasts

Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may
not be published, broadcast, rewritten or redistributed in any form without
prior authorization.

Your use of this website constitutes acceptance of CyberRisk Alliance Privacy
Policy and Terms & Conditions.

COOKIES

This website uses cookies to improve your experience, provide social media
features and deliver advertising offers that are relevant to you.

If you continue without changing your settings, you consent to our use of
cookies in accordance with our privacy policy. You may disable cookies.

Accept cookies