Internet crime is ever present, and with the ongoing pandemic, levels of scams and fraud were exceptionally high in 2020. Opportunistic fraudsters didn't give a second thought to riding the COVID-19 wave and preying upon those who are truly in need of help, or those who truly want to help.
The Internet Crime Complaint Center (IC3), an arm of the FBI where internet users can report online fraud crimes, recently released the 2020 Internet Crime Report, an annual report that contains high-level information on suspected fraud cases reported to them and their losses. A state-by-state statistical breakdown of these cases were included in an accompanying report, 2020 State Reports, that you can browse through here.
The IC3 has found that the three biggest complaints they received in 2020 are phishing scams, which garnered the highest number of complaints (241,342), ransomware (2,474), and, perhaps the most striking of these, Business Email Compromise (BEC) (19,369). It's striking, not because of the number of complaints but because BEC scams recorded the highest total losses by victims, at roughly $1.8 billion USD. Although phishing led to the highest number of complaints, victims "only" lost $54 million USD, a fraction of the money lost to BEC scams.
According to IC3, BEC can also be called Email Account Compromise (EAC). It may or may not involve a layered attack, depending on how a threat actor can better mimic the person they're spoofing, and how much their target employee would be able to buy into the overall deception.
It starts off with an email, either from a compromised account or spoofed address, to make it look like it originated from a particular sender. The threat actor, usually posing as a higher-up within a company, contacts a more junior employee in the company who is cleared to perform funds transfers. The attacker gives the junior employee a plausible but urgent instruction to make a large, confidential transfer of money to a fake supplier.
"In 2020, the IC3 observed an increase in the number of BEC/EAC complaints related to the use of identity theft and funds being converted to cryptocurrency," according to the report. "In these variations, we saw an initial victim being scammed in non-BEC/EAC situations to include Extortion, Tech Support, Romance scams, etc., that involved a victim providing a form of ID to a bad actor. That identifying information was then used to establish a bank account to receive stolen BEC/EAC funds and then transferred to a cryptocurrency account."
We remind businesses, regardless of sector, to be aware of BEC attack trends and be very vigilant in combatting it. BEC scams rely, in part, on the pressure that junior employees feel when asked to comply with demands from senior employees, and told not to alert anyone else. Employees should be empowered to seek advice and take the time they need.
Also, if your company doesn't have an extra layer or two of authentication before the request to transfer money is green-lit, put one in place now. A phone or video call is ideal.
True, these steps introduce a bit of friction into your company processes, but a little inconvenience and delay could your company millions of dollars.