www.scmagazine.com
Open in
urlscan Pro
2606:4700:20::681a:3d7
Public Scan
Submitted URL: https://go.scmagazine.com/MTg4LVVOWi02NjAAAAGEV-tEoXYE8lXmvXL3kklcmXONxpNbCox_fWqCZfSW7bcV0SnKGmdHQ1NVmpeBehcZsrssxgU=
Effective URL: https://www.scmagazine.com/analysis/email-security/business-email-compromise-scams-netted-43-billion-in-losses-as-new-varia...
Submission: On May 13 via api from CH — Scanned from DE
Effective URL: https://www.scmagazine.com/analysis/email-security/business-email-compromise-scams-netted-43-billion-in-losses-as-new-varia...
Submission: On May 13 via api from CH — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Log inRegister Topics Industry Events Podcasts Research Recognition Leadership ADVERTISEMENT Email security, Social engineering, Cybercrime AddThis Sharing Buttons Share to FacebookFacebookShare to TwitterTwitterShare to EmailEmailShare to LinkedInLinkedIn BUSINESS EMAIL COMPROMISE SCAMS NETTED $43 BILLION IN LOSSES AS NEW VARIATIONS EMERGE, FBI SAYS Karen HoffmanMay 9, 2022 Losses from business email compromise scams increased 65% from 2016 to 2021, according to the FBI. Pictured: Workers prepare a presentation of advanced email at the CeBIT 2012 technology trade fair on March 5, 2012, in Hanover, Germany. (Photo by Sean Gallup/Getty Images) Long the bane of the financial industry, business email compromise (BEC) is getting worse, as savvy cybercriminals find sly new avenues to make their fraudulent requests appear believable. BEC scams jumped a whopping 65% to a total of $43 billion in losses worldwide in just five years, from 2016 to 2021, according to a public service announcement and report released by the FBI late last week. The findings are based on data and complaints from Internet Crime Complaint Center (IC3) data and complaints, which IC3 has been compiling since October 2013. While virtually all forms of cybercrime have risen in recent months, the advanced approaches and level of loss from BEC concerns industry on-lookers. “The latest report from the FBI on business email compromise is disturbing, but not surprising,” said Gary McAlum, senior analyst for TAG Cyber. “BEC is just another form of social engineering that has increasingly become more sophisticated and profitable over time, quickly outpacing email security systems and employee training programs.” ADVERTISEMENT As online thieves have leveled up, BEC scams have become the “costliest cyberattacks,” according to the IC3’s research. More advanced scam artists are using deep fake voice technology, web site-spoofing, fraudulent social media and employee profiles to support their phishing emails and make them appear more believable, according to Tari Schreider, strategic advisor for Aite Novarica. “Fraudsters perpetrate BEC scams based on illusion ... that can be months in the making to trick a company executive into believing the financial request to wire money is legitimate,” Schreider said, adding that it typically begins with bad actors infiltrating a company’s network and creating fake receivable accounts. “Deep fakes can be used to synthetically create a voice impersonation of the executive to confirm payment authorization,” Schreider said. “Next, fake but very real-looking businesses can be created, including websites, LinkedIn accounts, employee profiles, phone numbers. ... Once all the components of the cyber-grift are in place, it is executed.” IC3 also reported the percentage of cryptocurrency-based complaints and losses increased significantly in 2021, with cybercriminals opting to request funds in the form of cryptocurrency because these transactions can occur quickly and tend to lack an audit trail. Cybercriminals have stolen cryptocurrency through both direct transfers to a crypto-exchange or an indirect or “second hop” transfer to an exchange, according to the IC3’s findings. Many so-called cyber-grifters are pushing the boundaries of traditional BEC schemes, which tend to target businesses and individuals in finance, payroll or accounts payable who often respond to funds-transfer requests. The IC3 research found that these scams often incorporate more social engineering, as well as hijacking or mimicking legitimate business email accounts. The IC3 also noted that bad actors might acquire employee PII or tax information to add realism to their requests. However, perhaps most troubling is that BEC seems to be flourishing largely under the radar because it has been (and continues to be) so tough to pinpoint, even after the fact. Although any phishing attack can do a great deal of harm, “they are not all created equally,” according to Patrick Sweeney, global head of Cloudflare Area 1 Security. While BEC may not be splashed across mainstream news reports as frequently as ransomware, “BEC attacks are very difficult to detect because they are not as blatant as clicking on a suspicious link, nor do they usually have any payload to identify,” Sweeney said. “In fact, BECs utilize trust that you have already established with outside institutions,” he concluded. “They create very low signals that don’t typically rise to the top of a defender’s alert list, and tend to blend in with the usual noise of corporate email traffic.” Karen Hoffman RELATED Risk management UNUSUAL LINKS LEVERAGED IN NOVEL PHISHING ATTACK SC StaffMay 12, 2022 Attackers have been leveraging a novel phishing approach that involves the creation of an unusual link with an "@" symbol in between, which browsers identify as legitimate domains and therefore allows evasion of security systems, according to Threatpost. Cloud security RESEARCHERS SPOOF ‘VANITY URL’ LINKS OF BOX, GOOGLE AND ZOOM Steve ZurierMay 12, 2022 Varonis team shows how threat actors can use spoofed Vanity URLs to launch varied attacks via Software-as-a-Service accounts. Email security FINANCIAL FIRMS NEED NEW TACTICS TO GET OUT OF THEIR ‘COMPROMISING’ POSITION Karen HoffmanMay 11, 2022 Business email compromise (BEC) has often flown under the radar, creating an increasingly healthy source of funds for fraudsters in recent years. RELATED EVENTS * eSummit EMAIL EMERGENCY: STEERING CLEAR OF PHISHING AND BEC SCAMS Tue Jun 14 - Wed Jun 15 * eSummit RANSOMWARE & DATA EXFILTRATION: A SURVIVAL GUIDE TO PREVENTION & RESPONSE On-Demand Event ADVERTISEMENT ADVERTISEMENT -------------------------------------------------------------------------------- ABOUT US SC MediaCyberRisk AllianceContact UsCareersPrivacy GET INVOLVED SubscribeContribute/SpeakAttend an eventJoin a peer groupPartner With Us EXPLORE Product reviewsResearchWhite papersWebcastsPodcasts Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization. Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions. COOKIES This website uses cookies to improve your experience, provide social media features and deliver advertising offers that are relevant to you. If you continue without changing your settings, you consent to our use of cookies in accordance with our privacy policy. You may disable cookies. Accept cookies