Big Bucks In BEC: The Crooks Are Making Billions, Government Report Says

Did you ever get the sneaking feeling that you’re on the wrong end of this business?

Cyber felons pulled down $300 million a month with business email compromise (BEC) attacks against financial institutions in 2018, according to the Financial Crimes Enforcement Network (FinCEN), a unit of the U.S. Treasury. That’s up from $110 million per month in 2016.

Moreover, since 2016, FiNCEN has received 32,000 reports on almost $9 billion in possible losses to businesses, individuals and governments.

In contrast to 2016, when victims were induced to move funds through wire transfers, the methods now include convertible virtual currency payments, automated clearinghouse transfers, and purchases of gift cards.

Typically, these attacks involve “spoofing bank domains and sending what appear to be credible messages to imitate official communications between bank employees.”

These include “sending emails that appear to be from a financial institution’s Society for Worldwide Interbank k Financial Telecommunication (SWIFT) department with payment instructions and SWIFT reference numbers in the email text to enhance its apparent legitimacy to the victim,” it says.



Also listed among financial services targets are:  

Government — The cyber perpetrators have targeted accounts used for pension funds, payrolls and contracted services and have set their sights on employees, citizens and vendors.

Education — This is the largest single area of BEC fraud in the financial sector because of the volume of tuition payments, endowments, grants, and renovation and construction cost. While only 2% of BEC attacks hit educational institutions in 2017, that does not reflect the high dollar value of these transactions. 

FiNCEN also reports that it hs recovered over $500 million in stolen friends through its Rapid Response program.

The agency is trying to counteract fraud through a series of Exchange Forum meetings.  

BEC attacks target accounts of financial operational entities such as commercial, non-profit, governmental organizations.

Email account compromise attacks (EAC) target personal email accounts of individuals.

In general, the big three BEC targets are: 

  • Manufacturing and construction (25% of BEC cases). 
  • Commercial services (18%)
  • Real estate (16%)

Scams affecting these verticals often take the form of fraudulent invoices and vendor impersonation scams.

Where is the stolen money going? You’re wrong if you think it’s headed for some destination overseas.

“The majority of BEC incidents affecting U.S. financial institutions and their customers are increasingly involving initial domestic funds transfers, rather than international, likely taking advantage of money mule networks across the United States to move stolen funds,” FinCEN reports.  



Next story loading loading..