Compromised business emails have caused 17,642 enterprises worldwide to lose at least $2.3 billion, a new research paper titled 'Billion-Dollar Scams: The Numbers Behind Business Email Compromise ' from Trend Micro says.
The paper says that the statistics are straight from the FBI, and the number is still increasing. Victim counts increased 270% during the first eight months of 2015. The sheer size of these attacks prompted the FBI into action through a public service announcement, educating enterprises about the dangers.
The paper says that business email compromise (BEC) schemes work through sophisticated channels between businesses and foreign partners that provide wire transfer payments. Business executives' emails are hacked and spoofed, instructing employees to send large wire transfers to foreign accounts.
The paper says that BEC attacks are socially-engineered, which makes them difficult to detect due to how legitimate the emails appear. While the USA is the greatest target with 274, Australia also has been targeted by 94 schemes.
Trend Micro says BEC scams can take three forms:
The bogus invoice scheme
Businesses who work with a foreign supplier are contacted by fraudsters, asked to change payment location or to a fraudulent payment account.
Scammers spoof business executives' accounts, create an email to an employee requesting an urgent wire transfer to the fake account. The most spoofed executive positions are CEO (31%), president (17%), managing director (15%) and 'others' constituting 20%.
An employee's account is hacked and emails are sent from the account to vendors on the contact lists, requesting payments to fraudulent accounts.
How to prevent BCE attempts
The report encourages businesses to educate executives and employees about how BEC scams operate. The scams are simple, and can be easily thwarted by employees.
- Be wary of all emails
- Verify wire requests if they seem overly high or differ from most transactions
- Raise employee awareness about BCE methods
- Use secondary sign-off for changes in vendor payment locations
- Use two-factor authentication for payments. When using phone verification, use known phone numbers.
- Report attempted and successful hacks or spoofs
- Keep track of customer payments, including payment details