BEC is a growing type of cybercrime that generates billions in losses every year. It also involves cryptocurrency more and more, providing an additional layer of anonymity to the cybercriminals.
The Federal Bureau of Investigation released an alert that said there has been a 65% increase in identified global exposed losses from Business Email Compromise fraud, also known as Email Account Compromise. This huge increase can partly be attributed to the COVID-19 pandemic, as restrictions caused more workspaces and individuals to conduct routine business virtually.
Statistics collected by the FBI’s IC3 (Internet Crime Complaint Center), law enforcement and derived from filings with financial institutions between June 2016 and December 2021 revealed a total of 241,206 domestic and international incidents, for an exposed loss of $43,312,749,946.
SEE: Mobile device security policy (TechRepublic Premium)
Between October 2013 and December 2021, there were 116,401 U.S. victim complaints to the IC3, and 5,260 non-U.S. victims. The exposed loss for the U.S. victims is close to 15 billion, while the exposed loss for non-U.S. victims is a bit more than $1.2 billion.
Business Email Compromise is a sophisticated scam that targets companies and individuals who perform legitimate transfer-of-funds requests.
Social engineering or usage of malware makes it possible for cybercriminals to impersonate one of the people involved in those money transfers to make the victim send the money to a cybercriminal-owned banking account.
Once the fraud is detected, it is often too late to grab the money back, as the fraudsters make it move quickly to other accounts and cash it out or buy cryptocurrencies with it.
The scam is not yet always associated with a money transfer, as one variation of the fraud involves compromising legitimate business email accounts and requesting employees personally identifiable information, Wage and Tax Statement (W-2) forms or even cryptocurrency wallets, according to the agency.
Cybercriminals running BEC campaigns do increasingly make use of cryptocurrencies because cryptocurrency transactions provide more anonymity than usual wire transfers.
IC3’s feedback after tracking some iterations of this scam reveals two different modus operandi.
The direct transfer method mirrors the traditional pattern of BEC incidents from the past. A cybercriminal sends altered wire information to the victim, and social engineers him or her to send a payment to a cryptocurrency custodial account controlled by the bad actor.
The second method is called the second-hop transfer. In this attack, the fraudsters make use of other cybercrime victims. The bad actor sends altered wire instructions to a victim, so that he or she sends payment to a second victim whose PII is owned by the attacker. The funds are then moved to a cryptocurrency account controlled by the cybercriminal, who can then cash it out the way they want. This additional layer of victims, which are proxies for the funds, are often victims of extortion, romance scams or tech support fraud and have provided all the necessary PII to the threat actor.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Cedric Pernet is a senior threat expert with a strong focus on cybercrime and cyberespionage. He currently works at Trend Micro. Prior to that position, he worked for several Computer Emergency Response Teams (CERTs) where he did threat intelligence investigations, incident response, and computer forensics. He was also a Law Enforcement Officer working on Cybercrime in France. He is the author of a paperbook in French language on cyberespionage and an influential person in the cybersecurity community.
