FBI: Global Business Email Compromise Losses Hit $12.5 Billion'CEO Fraud' Remains Alive, Well and Underreported
Global losses due to business email compromise have exceeded $12.5 billion, warns the FBI's Internet Complaint Center, or IC3.
See Also: The Global State of Online Digital Trust
The latest FBI data draws on fraud reports submitted by victims around the world from October 2013 to May 2018. In that time frame, the FBI counts 41,058 total U.S. victims who collectively lost at least $2.9 billion.
IC3 is the contact point for U.S. consumers and businesses that want to report fraud to authorities (see FBI: Reported Internet-Enabled Crime Losses Hit $1.3 Billion).
Business email compromise - also called email account compromise or CEO fraud - "is a sophisticated scam targeting both businesses and individuals performing wire transfer payments," IC3 warns. "The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds."
Variations of the scam can also involve attempts to steal personally identifiable information or employees' wage and tax statement forms.
Such scams give fraudsters a low-cost way to harvest potentially high-value data. Last year, for example, Coupa, which provides cloud-based software for managing spending, warned that an employee had sent copies of 2016 W-2 federal income tax-related documents for all of the company's employees to an attacker who had posed as the company's CEO via email (see Silicon Valley Firm Coupa Hit by W-2 Fraudsters).
Experts say W-2 forms are a popular target because they contain employees' names, addresses, Social Security numbers and wages. Fraudsters often attempt to use that information to commit identity theft, including filing fake tax returns and obtaining a refund.
Hot Target: Real Estate
In the United States, criminals are increasingly running scams that target not just PII and W-2 forms but also stealing funds from the real estate sector, including "title companies, law firms, real estate agents, buyers and sellers," IC3 warns.
"Victims most often report a spoofed email being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account," IC3 says. "The funds are usually directed to a fraudulent domestic account which quickly disperse through cash or check withdrawals. The funds may also be transferred to a secondary fraudulent domestic or international account. Funds sent to domestic accounts are often depleted rapidly, making recovery difficult."
IC3 reports that from 2015 to 2017, it received an 1,100 percent increase in fraud reports from victims who had been hit with a BEC scam that involved a real estate angle. In the same time frame, it said the reported losses due to such real estate BEC scams increased by 2,200 percent.
Drawing on data provided by financial services firms as well as foreign law enforcement and government agencies, IC3 says that in the October 2013 to May 2018 time frame, total known worldwide losses to BEC scams hit $12.5 billion, while the total number of known victims reached 78,617.
Stolen funds have been traced to recipients in the United States as well as 115 other countries, IC3 says, noting that China and Hong Kong are the primary foreign destinations. "However, financial institutions in the United Kingdom, Mexico and Turkey have also been identified recently as prominent destinations."
The FBI says that to make it more difficult for investigators to recover the funds, criminals may first groom domestic money mules - sometimes via romance scams - and use them to help move the money (see Nigerians Get Lengthy Prison Terms for 'Romance Scams').
Fraud Victim? Act Quickly
Law enforcement officials worldwide continue to urge victims to come forward. In the case of BEC scams, IC3 says that it works with the FBI as well as financial services firms to attempt to recover stolen funds.
"If you discover a fraudulent transfer, time is of the essence," IC3 warns. "First, contact your financial institution and request a recall of the funds. Different financial institutions have varying policies; it is important to know what assistance your financial institution will provide when attempting to recover funds."
Rather than contacting local police, IC3 recommends that organizations alert their local FBI office to the fraudulent transfer and then also file a complaint with IC3. "Law enforcement may be able to assist the financial institution in recovering funds," it says, adding that "IC3 will be able to assist both the financial institutions and law enforcement in the recovery efforts."
Reporting recommendations vary by country. In the U.K., for example, the U.K.'s national fraud and cybercrime reporting center is Action Fraud, which is run by the City of London Police, the nation's lead force for investigation of fraud.
This month, Action Fraud reported that from October 2017 to March 2018, it received 12,372 cybercrime reports from U.K. victims, totaling £28 million ($37 million) in losses.
Of those reports, about one third involved attackers hacking into a victim's social media or email accounts, leading to £11 million ($14 million) in known losses.
Where to Report Fraud?
Law enforcement experts say many crimes, including cybercrime, remain underreported, making it difficult to understand the full scale of the problem.
For victims that do want to come forward, furthermore, how and where to report fraud continues to evolve.
"U.K. people love to send their complaints over to IC3.gov," FBI Special Agent Efrene G. Sakilayan, the bureau's assistant legal attaché to the U.K., said in a presentation at the recent International Conference on Big Data in Cyber Security in Edinburgh, Scotland (see 8 Highlights: Scottish 'Big Data' Cybersecurity Conference). "I keep telling them to send them to Action Fraud."
Victims: Please Come Forward
In the U.S. and U.K., involving law enforcement doesn't always lead to an investigation. But without knowing how criminals are targeting victims, police say everyone from policymakers to incident responders remains at a disadvantage (see FBI to DDoS Victims: Please Come Forward).
"You cannot legislate for what you don't know," Detective Inspector Eamonn Keane of Police Scotland, who heads cybersecurity and innovation efforts at the Scottish Business Resilience Center, said at the recent International Conference on Big Data in Cyber Security.
Notifying law enforcement about internet-enabled fraud and other types of cybercrime remains essential for "enriching the intelligence picture" across law enforcement agencies and disrupting criminal operations, he said.