Business email compromise scams cost American organizations over US$1.8 billion last year, according to a report from the FBI.
In its annual Internet Crimes Report the agency said it received 19,369 complaints categorized as business email compromise (BEC)/ email account compromise (EAC), which involve persuading individuals to unwittingly transfer funds to accounts controlled by crooks.
The scam often involves an attacker compromising a legitimate business email account through social engineering or hacking. Victims are then sent a message that appears to come from a person they expect to get a request from.
The report notes that as fraudsters have become more sophisticated, the BEC/EAC scheme has evolved. In 2013, they routinely began attacks by hacking or spoofing the email accounts of chief executive or chief financial officers. Fraudulent emails were sent requesting wire payments. Over the years, the scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for employee information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards.
Last year the FBI saw an increase in BEC/EAC complaints involving identity theft and funds being converted to cryptocurrency. In these variations, initial victims can be scammed in non-BEC/EAC situations to include extortion, tech support and romance scams that involved a victim providing a form of ID to a bad actor. That identifying information was then used to establish a bank account to receive stolen BEC/EAC funds. Those funds are then transferred to a cryptocurrency account.
The FBI emphasizes the importance of victims notifying the Internet Crime Complaint Center (IC3) and their financial institution because, in many cases, money can be recovered. Out of 1,300 incidents last year involving $462 million, the agency was able to freeze 82 per cent of the funds.
For example, in June 2020, the IC3 received a company complaint regarding a wire transfer of $60 million to a fraudulent overseas bank account in Hong Kong. The Legal Attaché of Hong Kong and Hong Kong banking and law enforcement agencies were notified and the transfer was prevented from being deposited. The funds were returned to the victim.
Overall, the FBI’s IC3 received 791,790 complaints of suspected internet crime last year—an increase of more than 300,000 complaints from 2019 — and reported losses exceeding $4.2 billion. The top three crimes reported by victims in 2020 were phishing scams, non-payment/non-delivery scams, and extortion.
Phony tech support
The report also says phony tech support fraud continues to be a growing problem. Crooks pose as customer support for financial institutions, utility companies, or virtual currency exchanges. Many victims report being directed to make wire transfers to overseas accounts or purchase large amounts of prepaid cards. In 2020 the IC3 received 15,421 complaints related to tech support fraud from victims in 60 countries. The losses amounted to over $146 million, a 171 per cent increase in losses from 2019.
While these scams often involve a call centre outside the U.S., the FBI and the Justice Department have had some success in charging individuals. For example, the report notes that four Americans and the head of a call centre in India have been charged with an operation connected to over 15,000 victims with losses of approximately $7 million.