This blog series is dedicated to sharing real-world stories of the most serious cases of stolen identities — and just how devastating these crimes can be on organizations, individuals, and families. Our latest post describes how sophisticated business email ruses are resulting in billions in losses each year.
Business Email Compromises Cheat Even Most Vigilant Professionals
In August 2019, 80 suspects in a massive Business Email Compromise (BEC) scam, and money-laundering fraud operation based in Los Angeles, were charged with conspiracy to steal upwards of $46 million.
U.S. law enforcement officials have apprehended some of the culprits, mostly Nigerian nationals, and charged them with BEC fraud, romance scams, and fraudulent activities specifically targeting the elderly. Prosecutors revealed that both small and large businesses worldwide were targeted, including small businesses, realtors, and legal firms. Some victims lost hundreds of thousands of dollars. According to U.S. Attorney Nick Hanna, “BEC scammers used hacked email accounts to convince businesses or individuals to make payments that were either completely bogus, or that should have otherwise been paid to legitimate companies.”
How Business Email Scams Work
The FBI has identified a four-step process used by Business Email Compromise thieves to infiltrate a business.
Step 1: Criminals identify a target business and exploit publicly available online information to profile the company and its executives.
Step 2: In a “grooming phase,” criminals send sophisticated spear-phishing emails or make telephone calls targeting company officials. Hackers often seek to compromise a legitimate email account (often the CEO or someone in the finance department).
Step 3: Once gaining the trust of the target employee(s), fraudsters trick them, or the company’s business partners, to wire funds or send checks to their accounts.
Step 4: Funds are redirected to a bank account controlled by the criminal enterprise and then distributed to other accounts that are nearly impossible to trace.
BEC fraudsters use phony HTML emails and websites, fake business statements, invoices, and phone lines, and deploy manipulation and pressure tactics that prey on human emotions. Their efforts have paid off. According to an FBI public service announcement, there was a 100% uptick in identified global exposed losses related to BEC between May 2018 and July 2019. And between June 2016 and July 2019, there were 166,349 domestic and international cases of BEC generating $26.2 billion in total exposed monetary losses. BEC scams are now the biggest problem for U.S. companies, far outpacing ransomware attacks.
Employee Tax Records Also at Risk
In addition to BEC scams targeting corporate and individual finances, internet crooks may try to exfiltrate Personally Identifiable Information (PII) or employee tax records so they can file false tax returns or sell stolen data online through the Dark Web. In 2019, as part of its investigation of a massive identity theft and tax-fraud scheme, law enforcement officials found that more than 250,000 identities were stolen and used to file more than 10,000 fraudulent tax returns.
What Should You Do to Protect Your Company from BEC?
The financial impact from identity theft to your business may not be readily detected, as patient and well-organized criminals may sit on the identities they have stolen for some period of time before “going live.” Here are four steps that your organization can take to protect itself against losses from BEC scams:
- Develop and implement a company-wide security awareness program. Make it everyone’s priority to protect company information for the benefit of your employees, your customers, and the long-term health of your business.
- Don’t rely on email alone: confirm requests for transfers of funds by using phone verification or face-to-face meetings. Only use previously known phone numbers to authenticate transfer requests and verify the requests in person whenever possible. Don’t be duped by a vishing phone scam that continues the fraud introduced by the email.
- Carefully scrutinize all email requests for the transfer of funds. Check to see if there are small variations in the email addresses that are out of the ordinary.
- Harden your networks, especially for mobile— Threats to mobile devices may include rogue applications, spyware, and unsecured Wi-Fi connections, and even fake networks. Employee mobile devices used for business email and other work purposes are easy targets for cyberthieves, creating numerous gateways into your network.
BEC scams are on the rise, and companies need to carefully safeguard their employees’ PII and tax data as well as company financial data. Today’s cybercriminals clearly appear to be focusing on higher-value business targets than ever before. Although digital crime can create disruption throughout your business, there are a number of available early detection and remediation tools from Sontiq, IdentityForce’s parent company, that can help protect against the risk of cybercrime — and the toll it can take on your business and your employees.
Worried that your PII may have been compromised through a business security incident? IdentityForce helps protect you from identity theft. We’re always monitoring your personal information to safeguard your identity, privacy, and credit, and will rapidly alert you to any suspicious activity. And, if the worst should happen, we’ll help restore any damage that is done. Enroll in your Free 30-Day Trial today — it’s fast and easy.