Imagine this scenario: You have an ongoing contractual relationship with a supplier. You communicate with that supplier regularly over email, including the receiving invoices. One day you receive an email that states: “We are moving to an ACH payment method. Can you please send your next payment by ACH transfer?” The email provides ACH transfer instructions with a bank account.
You send an email in response with an inquiry. That inquiry is responded to promptly. The email address and the name of the person you are corresponding with is familiar. You have no reason to believe the individual you are corresponding with is not a trusted person from the trusted entity you are doing business with. You make payment of the outstanding invoice by the given ACH transfer instructions.
A week later, you receive an email from the supplier: “When do you expect to make payment on the outstanding invoice? Payment is now overdue.” You double-check your bank account to determine that the payment was sent. You respond to the supplier with a copy of the wire confirmation. The supplier responds: “That’s not our bank account.”
You are horrified when you discover the payment was not made to the trusted supplier, but to an imposter. You contact your bank and the bank attempts to recover the payment. However, the money is long gone.
The Federal Bureau of Investigations (FBI) refers to this type of crime as a business email compromise scheme, or a BEC scheme. BEC schemes involve tricking a company’s employee into clicking on an attachment or a link in an email.
Often BEC scams involve exploiting individuals in financial roles. When the employee clicks on the attachment or link in the email, this releases malware that provides the criminal with access to the employee’s email correspondence. Once the intruder has access to the employee’s email correspondence, that intruder then looks at conversation patterns and invoices and monitors correspondence to determine when a large financial transaction is scheduled to take place.
These legitimate business emails are compromised when the intruder then sends an email posing as a party to the transaction, instructing the money to be wired to a bank account, one controlled by the imposter. The email address used by the imposter is usually off by a letter or two or a change in number, such as @3brothers.com instead of @threebrothers.com. The change in the email address often goes unnoticed by the unsuspecting victim.
The imposer will immediately respond to any inquiries, further giving the impression that the unsuspected victim is communicating with the trusted person, when in fact it is the imposter.
This type of scam is on the rise
Business email compromise (BEC) as a cyberattack method is surging. This method is more prevalent than ransomware. And the financial losses are devastating. The 2022 Federal Bureau of Investigation Internet Crime Report states that individuals in the United States lost more than $34.3 million to ransomware in 2022, but lost over $2.7 billion dollars in BEC scams in 2022. The FBI found that BEC attacks make up more than one-quarter of all cybercrime losses in the U.S.
BEC attacks can be done by criminals for individual financial gains or by foreign state-backed hackers. For example, North Korea’s hackers have become increasingly sophisticated, and it is believed that revenue from BEC scams have been used to fund North Korea’s nuclear weapons program.
Learn more about who is liable for the financial loss, along with what to do to protect yourself from BEC scams, in part 2 of this series.