Business Email Compromise Contributes To Large Scale Business Losses Nationwide

Business Email Compromise (BEC) schemes have cost victims billions of dollars in fraud losses over the last five years. This activity is a pervasive threat with significant financial losses and a considerable global impact.

What Is BEC?

BEC is a sophisticated scam in which a criminal actor uses email to impersonate a business executive or other employee to request fraudulent payments or obtain access to employee payroll or W2 information. The criminal actor will typically leverage a victim's authority to pressure targets into acting quickly or secretly when handling the transfer. Perpetrators have been known to impersonate business executives, real estate industry representatives, HR staff, law firms, and trusted vendors to initiate or redirect wire transfers to overseas bank accounts. They often adjust the BEC scheme to target specific victims and maximize financial payouts. Criminals also use these techniques to obtain personally identifiable information, which they can sell in Dark Web Marketplaces or use to submit fraudulent tax returns. To perpetuate the scheme, criminals may compromise the email accounts of business employees or they misuse publicly available services to spoof victim e-mail domains.

Consequences Of Participating In These Schemes

The criminal use of email to conduct fraudulent activity is illegal under the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and such activity may also lead to charges of Bank Fraud (18 U.S.C. § 1344), Wire Fraud (18 U.S.C. § 1343), and/or Money Laundering (18 U.S.C. § 1956). Participating in this scheme may result in the following consequences:

• Seizure of computer and other electronic devices
• Seizure of bank accounts
• Penalty, fine, and/or forfeiture of items purchased with fraudulent money
• Significant prison sentence

Steps To Take If You Are A BEC Victim

• Contact the originating bank and request a wire recall
• Immediately file a complaint with www.ic3.gov
• Save all messages and evidence associated with the incident

How To Mitigate Bec Attacks

The following list includes precautionary measures and mitigation strategies for BEC threats:

• Frequently monitor your Email Exchange server for changes in configuration and custom rules for specific accounts
• Consider adding an email banner stating when an email comes from outside your organization so they are easily noticed
• Conduct End User education and training on the BEC threat and how to identify a spear phishing email
• Ensure company policies provide for verification of any changes to existing invoices, bank deposit information, and contact information
• Contact requestors by phone before complying with e-mail requests for payments or personnel records
• Consider requiring two parties sign off on payment transfers

How And What To Report

The FBI requests BEC victims file a complaint with IC3, regardless of the dollar loss or date of the incident. IC3 complaints should be filed at www.ic3.gov with the following details (if applicable):

• Any messages pertaining to the attack
• Victim Information
• Overall losses associated with the BEC
• If a payment associated with the attack was sent, provide transaction details
• Victim impact statement (e.g., impacted services/operations)
• IP addresses used to send fraudulent emails