2 min read
FBI issues warning on surging BEC scams causing $55 billion in losses
Farah Amod Sep 24, 2024 6:44:12 PM
The Federal Bureau of Investigation (FBI) has warned businesses, urging them to bolster their defenses against business email compromise (BEC) attacks that have collectively resulted in over $55.5 billion in losses over the past decade.
What happened
The FBI's Internet Crime Complaint Center (IC3) reported that between October 2013 and December 2023, more than 305,000 domestic and international BEC incidents were recorded, resulting in $55.499 billion in losses. In the United States alone, there have been 158,436 victims of BEC attacks, accounting for over $20 billion in losses. These figures are likely just the tip of the iceberg, as not all BEC incidents are reported to the IC3.
The growth in BEC attacks has been relentless, with a 9% increase in global losses recorded between December 2022 and December 2023. A factor contributing to this surge was the rise in BEC reporting where funds were sent directly to financial institutions holding custodial accounts managed by third-party payment processors and cryptocurrency exchanges.
In the know
The BEC scam is a complex and devious attack vector that preys on the trust and vulnerabilities within business email communications. Cybercriminals typically initiate these attacks through phishing attempts, using social engineering techniques to compromise email accounts. Once access is gained, the attackers meticulously study the account's communication patterns, hijack message threads, and impersonate the account holder to execute fraudulent wire transfers.
Their tactics often involve targeting individuals responsible for funds transfers, such as members of the finance team, and tricking them into sending money to attacker-controlled accounts. These accounts may be located domestically or internationally, with a preference for banks in the United Kingdom, Hong Kong, China, Mexico, and the United Arab Emirates. The speed at which the funds are then rapidly transferred to other financial institutions makes it extremely challenging to recover the stolen assets.
What was said
In response to the threat, the FBI has provided a set of recommendations to help businesses strengthen their defenses against BEC attacks. The steps include:
- Implementing access controls: Ensuring all accounts are protected by unique, complex passwords or passphrases that are changed periodically, and enabling multifactor authentication.
- Enhancing email security: Deploying effective spam filtering and anti-phishing solutions to block initial account compromises, and providing security awareness training to employees.
- Verifying email authenticity: Carefully scrutinizing the URLs, email addresses, and hyperlinks in incoming messages to ensure they align with the purported sender.
- Reinforcing financial controls: Utilizing secondary channels and two-factor authentication to verify any requests to change account information, and regularly reviewing financial accounts for irregularities.
- Reporting and recovery: If fraudulent transfers are identified, immediately contact the relevant financial institution to freeze the funds and report the incident to the IC3, which may be able to assist in the recovery process.
Why it matters
The growing threat of business email compromise (BEC) presents a serious danger to organizations of all sizes, from small businesses to large corporations. The financial impact of these scams can be overwhelming, potentially disrupting operations and threatening an organization’s financial health. Beyond the immediate monetary losses, a successful BEC attack can also lead to reputational harm, straining relationships with customers, partners, and stakeholders.
Dealing with BEC requires more than just technical solutions. It demands a well-rounded strategy that includes strong security measures, effective awareness training, and a proactive approach. By paying attention to FBI warnings and adopting recommended best practices, businesses can strengthen their defenses against these sophisticated attacks and protect both their finances and reputation.
FAQs
What is a BEC attack and why is it particularly dangerous for healthcare organizations?
A BEC attack is when cybercriminals gain control of a business email account to trick others into sending sensitive information or money. It's especially dangerous for healthcare because it can expose protected health information (PHI), disrupt operations, and cause financial losses.
What are the common tactics used by cybercriminals in BEC attacks targeting healthcare organizations?
Cybercriminals use tactics like phishing emails, spoofed email addresses, and social engineering. They often target executives, finance departments, and administrators, posing as trusted contacts to deceive them into sharing information or making unauthorized transactions.
How can healthcare organizations identify potential BEC attacks?
Healthcare organizations can spot BEC attacks by looking for unexpected requests for sensitive information or money, slight variations in email addresses, and urgent or pressuring messages. Using advanced email security tools and training employees to recognize suspicious emails are also imperative.