The Financial Crimes Enforcement Network ("FinCEN") issued an advisory and trend analysis alerting financial institutions to a recent surge in business email compromise ("BEC") incidents, as reported in suspicious activity reports. According to FinCEN, these reported attacks climbed from 500 per month in 2016 to over 1,100 per month in 2018, with attempted BEC thefts increasing from $110 million per month in 2016 to $301 million monthly in 2018.
According to the advisory and analysis, a BEC scam typically involves a cyber criminal emailing false invoices or payment instructions to an individual or business while impersonating a supervisor, vendor or other legitimate third party. Once payment is made, the proceeds are fraudulently directed to a criminal-controlled account. Sometimes the emails originate from hacked accounts, while at other times, they are made to appear as communications from trusted sources. Victims can include businesses, government agencies, universities and non-profits, often those that make frequent wire transfers. Most BEC incidents reportedly involve transfers to domestic accounts in the United States, likely controlled by "money mules."
Hardest hit was the manufacturing and construction sector, with increased attacks reported on professional services and real estate firms. BEC attacks against financial institutions reportedly dropped in the past year, potentially reflecting the increased sophistication of employees and systems in identifying the scam. FinCEN's advisory recommended that businesses remain on high alert for BEC scams, particularly with regard to wire transfer transactions, but also for scams involving cryptocurrency, gift cards and other financial products.
Commentary / Joseph V. Moreno
While headline-grabbing ransomware attacks are what many financial institutions think of when hacks come to mind, it is important to remember there are a wide variety of fraudulent cyber schemes out there. As with most ransomware attacks, BEC scams are email-based and prevention falls on both system screening and user behavior. Technology-based cyber tools such as digital signatures and email encryption can often be effectively deployed within an enterprise, but use of such technologies with third parties such as vendors and suppliers can be difficult. User training to spot fraudulent email transmissions and implementation of internal controls such as requiring multiple points of contact to verify and approve payments are ways to decrease the likelihood of falling victim to a BEC scam. For more information about avoiding BEC fraud, visit the FBI's information page.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.