BEC attacks have hit thousands, top $5 billion in losses globally

Over three years, IC3 tracked over 40,000 victims exposed to $5 billion in losses

email virus threat attack

An updated advisory form the FBI says that Business Email Compromise (BEC) attacks have become a multi-billion-dollar scam worldwide, as criminals take advantage of lax policies and human nature. Victims include businesses both large and small, operating in any number of vertical markets, proving that the criminals aren't picky about who they'll target.

At their core, BEC attacks are a variation on Social Engineering, designed to target a person's normal routine. Social Engineering isn't easily detected or defeated, so when the criminals ask for something that isn't unusual or out of victim's comfort zone, the attack is often successful.

By sticking to the routine, the criminals are taking advantage of lax policies and informal communications via email at work.

"It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.)," the updated FBI alert explains.

The stats are concerning. According to the published data, between January 2015 and December 2016 the amount of exposed losses skyrocketed by more than 2,000-percent, with BEC attacks being reported in all fifty states and 131 countries.

Sticking to domestic reports alone, over the last three years, there have been more than 22,000 victim organizations, with more than $1.5 billion in losses – with more than $346 million of that coming in the last half of 2016. Worldwide, over the same period, the number climbs to $5.3 billion in losses over more than 40,000 victims.

BEC attacks exist in a number of forms, including wire transfer requests or business requests dealing with personal information, such as W-2 records. Some attacks include the use of compromised email accounts within the organization or those tied to the victims somehow.

When it comes to BEC attacks targeting W-2 information, 2017 is a record setting year with at least 200 reported cases since January, impacting more than 120,000 taxpayers.

Some of the victim organizations lost tax records for 2015 and 2016, while others lost tax data and insurance data to the same scam.

In March, when Vertical Bridge, LLC reported their W-2 data breach, the company noted that the employee who fell for the BEC scam had recently completed awareness training "designed to prevent this kind of situation."

Organizations are trying to keep ahead of the curve by focusing on awareness training – including BEC attacks. But such measures don't cover every situation, and they won't help if the habits placing the organization at risk in the first place aren't changed, including office communications dealing with sensitive information.

The impact of these attacks is larger than the initial data breach as well. The IRS suspended the Data Retrieval Tool (DRT) in March, issuing a joint statement with the US Department of Education stating the move was due to security concerns.

One BEC victim reported to Salted Hash that their information was used setup a fraudulent Federal Student Aid application (using data pulled from the DRT), which prevented them from obtaining one themselves.

The alert issued last week has a number of tips and steps for organizations and victims when it comes to these attacks. While data breach notifications have identified two hundred BEC victims so far, but that number is expected to climb as the summer draws to a close.

Add your comments to our Facebook page.

Copyright © 2017 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.