The Federal Bureau of Investigation (FBI) has warned businesses, urging them to bolster their defenses against business email compromise (BEC) attacks that have collectively resulted in over $55.5 billion in losses over the past decade.
The FBI's Internet Crime Complaint Center (IC3) reported that between October 2013 and December 2023, more than 305,000 domestic and international BEC incidents were recorded, resulting in $55.499 billion in losses. In the United States alone, there have been 158,436 victims of BEC attacks, accounting for over $20 billion in losses. These figures are likely just the tip of the iceberg, as not all BEC incidents are reported to the IC3.
The growth in BEC attacks has been relentless, with a 9% increase in global losses recorded between December 2022 and December 2023. A factor contributing to this surge was the rise in BEC reporting where funds were sent directly to financial institutions holding custodial accounts managed by third-party payment processors and cryptocurrency exchanges.
The BEC scam is a complex and devious attack vector that preys on the trust and vulnerabilities within business email communications. Cybercriminals typically initiate these attacks through phishing attempts, using social engineering techniques to compromise email accounts. Once access is gained, the attackers meticulously study the account's communication patterns, hijack message threads, and impersonate the account holder to execute fraudulent wire transfers.
Their tactics often involve targeting individuals responsible for funds transfers, such as members of the finance team, and tricking them into sending money to attacker-controlled accounts. These accounts may be located domestically or internationally, with a preference for banks in the United Kingdom, Hong Kong, China, Mexico, and the United Arab Emirates. The speed at which the funds are then rapidly transferred to other financial institutions makes it extremely challenging to recover the stolen assets.
In response to the threat, the FBI has provided a set of recommendations to help businesses strengthen their defenses against BEC attacks. The steps include:
The growing threat of business email compromise (BEC) presents a serious danger to organizations of all sizes, from small businesses to large corporations. The financial impact of these scams can be overwhelming, potentially disrupting operations and threatening an organization’s financial health. Beyond the immediate monetary losses, a successful BEC attack can also lead to reputational harm, straining relationships with customers, partners, and stakeholders.
Dealing with BEC requires more than just technical solutions. It demands a well-rounded strategy that includes strong security measures, effective awareness training, and a proactive approach. By paying attention to FBI warnings and adopting recommended best practices, businesses can strengthen their defenses against these sophisticated attacks and protect both their finances and reputation.
A BEC attack is when cybercriminals gain control of a business email account to trick others into sending sensitive information or money. It's especially dangerous for healthcare because it can expose protected health information (PHI), disrupt operations, and cause financial losses.
Cybercriminals use tactics like phishing emails, spoofed email addresses, and social engineering. They often target executives, finance departments, and administrators, posing as trusted contacts to deceive them into sharing information or making unauthorized transactions.
Healthcare organizations can spot BEC attacks by looking for unexpected requests for sensitive information or money, slight variations in email addresses, and urgent or pressuring messages. Using advanced email security tools and training employees to recognize suspicious emails are also imperative.