The Internet Crime Complaint Center (IC3) has issued a new alert to businesses warning of the risk of business email compromise scams.

The businesses most at risk are those that deal with international suppliers as well as those that frequently perform wire transfers. However, businesses that only issue checks instead of sending wire transfers are also at risk of this type of cyberattack.

In contrast to phishing scams where the attacker makes emails appear as if they have come from within the company by spoofing an email address, business email compromise scams require a corporate email account to be accessed by the attackers.

Once access to an email account is gained, the attacker crafts an email and sends it to an individual responsible for making wire transfers, issuing other payments, or an individual that has access to employees PII/W-2 forms and requests a bank transfer or sensitive data.

The attackers often copy the format of emails previously sent to the billing/accounts department. This information can easily be gained from the compromised email account. They are also able to easily identify the person within the company who should be sent the request.

Not all business email compromise scams are concerned with fraudulent bank transfers. IC3 warns that the same scam is also used to obtain the W-2 tax statements of employees, as has been seen on numerous occasions during this year’s tax season.

Phishing scams are often sent out randomly in the hope that some individuals click on malicious links or open infected email attachments. However, business email compromise scams involve considerable research on the company to select victims and to identify appropriate protocols used by the company to make transfer requests.

Business email compromise scams often start with phishing emails. Phishing is used to get end users to reveal their login credentials or other sensitive information that can be used to gain access to business networks and perform the scam. Malware can also be used for this purpose. Emails are sent with links to malicious websites or with infected email attachments. Opening the attachments or clicking on the links downloads malware capable of logging keystrokes or provides the attackers with a foothold in the network.

IC3 warns that business email compromise scams are a major threat for all businesses, regardless of their size. Just because your business is small, it doesn’t mean that you face a low risk of attack.

Between January 2015 and December 2016, IC3 notes there was a 2,370% increase in BEC scams. While funds are most commonly sent to bank accounts in China and Hong Kong, IC3 says transfers have been made to 103 countries in the past two years.

The losses reported by businesses are staggering. Between October 2013 and December 2016, more than $5 billion has been obtained by cybercriminals. United States businesses have lost $1,594,503,669 in more than 22,000 successful scams. The average loss is $71,528.

IC3 lists the five most common types of business email compromise scams as:

  1. Businesses receiving requests from frequently used suppliers requesting transfers be made to a new bank account.This is also known as a bogus invoice scam.
  2. An executive within the company (CFO or CTO for example) requests a transfer be made by a second employee in the company. This is also known as a business executive scam.
  3. A compromised email account is used to send a payment request/invoice to a vendor in the employees contact list.
  4. The attackers impersonate an attorney used by the firm and request the transfer of funds. These scams are common at the end of the week or end of the business day. They are also known as Friday afternoon scams.
  5. A request is sent from a compromised email account to a member of the HR department requesting information on employees such as W-2 Forms or PII. These scams are most common during tax season.

There are a number of strategies that can be adopted to prevent business email compromise attacks from being successful.

IC3 recommends:

  • Using a domain-based email account rather than a web-based account for business email accounts
  • Exercising caution about the information posted to social media accounts. This is where the attackers do much of their research
  • Implement a two-step verification process to validate all transfer requests
  • Use two-factor authentication for corporate email accounts
  • Never respond to an email using the reply option. Always use forward and type in the address manually
  • Register all domains that are similar to the main domain used by the company
  • Use intrusion detection systems and spam filters that quarantine or flag emails that have been sent with extensions similar to those used by the company – Blocking emails sent from xxx_company.com if the company uses xxx-company.com for example
  • Be wary of any request that seems out of the ordinary or requires a change to the bank account usually used for transfers