Losses from Business Email Compromise (BEC) phishing scams have grown 2,370% over the past two years, according to a Thursday alert issued by the Federal Bureau of Investigation (FBI).
A BEC scheme is a social engineering phishing scam where a hacker impersonates an executive of a targeted organization to trick employees into compromising company data and financial details. Successful corporate phishing attempts generally require cybercriminals to conduct a significant degree of company research to identify individuals to impersonate, and then to mimic their language and business tactics.
BEC phishing attempts can be incredibly detrimental to affected organizations, leading to losses in data, money, and brand loyalty. Fraudulent wire transfers resulting from successful phishing attempted have grown 2,370% over the past two years, according to the FBI. More than 40,000 incidents were recorded between October 2013 and December 2016, resulting in more than $5.3 billion in losses.
BEC scams have been reported in all 50 states in the U.S. as well as in 131 countries, according to the FBI. From June to December 2016, more than $346 million was lost to BEC email phishing scams in the United States alone, with an additional $448 lost internationally over the same period.
Most of the money stolen has been tracked back to banks in China and Hong Kong, according to the alert.
“In today’s world of email scams, phishing and compromised credentials, a healthy dose of skepticism might just save users a lot of grief down the road,” says Phil Richards, CSO of Ivanti.
Richards argues that the best defense to phishing scams lies in the hands of the users. Recognizing phishing red flags, and avoiding clicking on any fraudulent emails, is the best way to ensure your information is not compromised.
“Scammers and phishers are successful when they craft an email message that is so compelling, so urgent, and looks legitimate, that you -- the unsuspecting victim -- feel compelled to click on it and follow the instructions,” says Richards. “They can look like they come from Google Docs, your work administrator, HR department, CEO, friend, spouse, or child. Users need to train themselves to step back, evaluate the message and look for clues it might be a scam.”
Richards recommends that consumers examine the email addresses of incoming email closely, as well as any URL links to authenticate the message.
“Just because an email has a logo that you recognize doesn’t mean the email comes from that company,” says Richards.
Richards also says that real legal notices will never come through email, and that a real bank notice will never require the end user to change their password via email.
“If I can’t validate the authenticity, my motto is when in doubt, throw it out,” says Richards.