September 27, 2019 – Since 2016, businesses and organizations in Canada reported a total of US$33.6 million in losses as a result of Business Email Compromise (BEC) scams according to a new report of the Better Business Bureau (BBB). The BBB urges businesses and organizations to establish technical precautions and changes in the institution’s culture and training regarding internet security.
The BBB published a new report on BEC scams “Is That Email Really From ‘The Boss?’ The Explosion of Business Email Compromise (BEC) Scams” on September 26. The report states that BEC scams are skyrocketing in frequency. This type of fraud cost businesses and organizations in Canada US$33.6 million counting 1204 complaints between January 2016 and May 2019. However, ‘[t]he complaints received may be only the tip of the iceberg; much of this fraud is not reported’, according to the BBB.
BEC or Email Account Compromise (EAC) frauds are email phishing scams and can take on many forms. The report lists six types of BEC scams:
- a chief executive officer (CEO) asking the CFO to wire money to someone,
- a vendor or supplier requesting a change in invoice payment,
- executives requesting copies of employee tax information,
- senior employees seeking to have their pay deposited into a new bank account,
- an employer or clergyman asking the recipient to buy gift cards on their behalf,
- a realtor or title company redirecting proceeds from a real estate sale into a new account.
Basically, the fraudsters are targeting people who are in charge of paying bills in businesses, governments, and non-profit organizations by impersonating high-profile actors such as chief financial officers (CFO) or accountants. They use emails to send a message which sounds urgent and very legititmate. The impression of credibility of the message is created by using fake email addresses with the actual name of the high-profile actor or even using hacked email accounts. In these messages, the employee is asked to wire money, buy gift cards or send personal information. The provided bank accounts are controlled by the fraudsters leaving the institutions with unpaid bills or paychecks or similar.
In August, the FBI scored a coup against BEC scam gangs. In a wave of arrests, 80 suspects have been captured for alleged BEC fraud in the U.S. The report says ‘90% of BEC groups operate out of Nigeria, with other Nigerian fraud groups operating from the U.S., Canada and many other countries around the world.’
The BBB recommends in their report to ‘take technical precautions such as multifactor authentication for email logins and other changes in email settings, along with verifying changes in information about customers, employees or vendors. The report also urges culture and training changes in organizations – namely, confirming requests by phone before acting and training all employees in internet security.’