Business email compromise (BEC) is a sophisticated type of phishing that uses social engineering and deception to obtain access to sensitive accounts, networks, and data. In these attacks, bad actors pose as organization executives to request funds transfers from other members of the organization. Playing on the trust that employees place in executives, this scam demands that the attacker gather information about the structure of the organization and the individual they plan to impersonate.

The FBI’s Internet Crime Complaint Center (IC3) recently published a public service announcement breaking down statistical data on BEC attacks based on the past ten years of reports. The alert emphasizes the significant financial impact of BEC attacks and explores tips and best practices against them.

Risks and Consequences of BEC Attacks

With phishing and other social engineering attacks, goals and methods can vary, leading to a wide range of potential repercussions for the target. In the case of BEC, the attacker usually wants one specific thing: an urgent transfer of funds into their account. However, just because the aim of BEC is typically more singular does not mean it can’t have far-reaching impacts.

The consequences of BEC attacks can include:

• Financial Losses: The most common and the most obvious goal of BEC attacks is to obtain funds by deceiving an employee into completing a transaction that they believe is for their boss. The financial impact of BEC can be extreme, such as the recent case of a Singapore firm losing (and then recovering) over $40 million USD.
• Compromised Data: Bad actors often need to obtain sensitive organization data in order to even begin a BEC attack, as they require access to an executive’s account. Once they gain access, they have the power to compromise sensitive data even further, endangering data such as Personally Identifiable Information (PII) and Protected Health Information (PII).
• Reputational Damage: Organizations that find themselves falling victim to a BEC attack can lose esteem among industry peers and customers alike in response to their inability to prevent such a security incident.
• Legal and Regulatory Repercussions: Based on relevant industry regulations and laws, organizations that experience BEC attacks may not be fully compliant with cybersecurity requirements. Consequences of noncompliance can include large fines and legal action against organizations and responsible individuals.

Internet Crime Complaint Center BEC PSA

The FBI’s Internet Crime Complaint Center takes reports of BEC attacks, and the recent PSA analyzes data from those reports over the past ten years, from October 2013 to December 2023. This includes examinations of BEC incidents and exposed losses, both globally and broken down by region. The IC3 data shows complaints of BEC attacks in all 50 U.S. states and 186 countries across the world.

Some of the key insights provided by the PSA include:

• Attackers often used international banks located in the United Kingdom, Hong Kong, China, Mexico, and the United Arab Emirates as intermediary stops for the transfer of funds.
• The number of total domestic and international BEC incidents reported and derived from financial institution records exceeded 300,000, with a global exposed dollar loss of over $55 billion.
• Over 150,000 U.S. victims submitted victim complaints with total financial losses exceeding $20 million, alongside 6,546 international victims with a total exposed dollar loss around $1.6 million.
• The financial transaction component of the IC3 complaint form, which was introduced in June 2016, brought in almost 90,000 U.S. complaints and over 22,000 international reports, with total exposed dollar losses of $17.5 billion and nearly $9 billion, respectively.

Preventing and Mitigating BEC Attacks

The PSA from the IC3 offers advice on protecting against BEC attacks with both proactive and reactive measures, aiming to prevent these incidents where possible and minimize damage when attacks are successful.

To protect against the consequences of a BEC attack after a fraudulent transfer is made, it is crucial to contact the financial institution and request the funds be recalled. Depending on the institution and its policies, victims of BEC attacks may receive varying levels of assistance. It is also recommended for targets of BEC attacks to file a complaint with the IC3 as soon as possible, enabling the FBI to potentially assist in freezing the funds.

Preventing BEC attacks requires many of the same measures as preventing any other phishing attack. Some of the IC3’s advice and other best practices include:

• Use multi-factor authentication to verify any requests for changing account information.
• Ensure that your passwords are unique, difficult to guess, and changed regularly.
• Double-check sender email addresses and other details to be certain that the email is from the person you think it is from. Look for misspellings or typos in domain names and link URLs.
• Do not provide sensitive information such as PII, PHI, or financial information over email.
• Monitor financial accounts for irregular transactions or missing deposits.
• Independently confirm any requests for funds—call your boss to ask if that email was really from them, for example.
• Organizations should ensure that their employees receive effective training in identifying and avoiding phishing attacks, including ones that use sophisticated tactics and advanced technology.

Conclusion

BEC attacks can cause catastrophic damage to an organization or individual, financially and otherwise. Lately, BEC has been getting more and more sophisticated, with bad actors spending months learning everything they can about the target organization and gaining access to executive accounts. With the help of IC3’s statistical data and advice on protecting against BEC, you can avoid falling victim to these attacks and losing large amounts of money.

To learn more about statistical trends in BEC attacks, read about 2023 Business Email Compromise Statistics here.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.