• by Ray Schultz , September 27, 2019

Business email compromise (BEC) scams have raked in $3.1 billion in the U.S. since 2016, pulling in $750.3 million in the first five months of this year alone, according to Is That Email Really From 'The Boss?', a new report from the Better Business Bureau. 

The study, quoting figures compiled by the Financial Crimes Enforcement Network (FinCEN), notes that $1.3 billion was lost to BEC scams last year, up from $360.5 million in 2016. And bad actors attempted to trick companies out of another $23 billion. 

A wave of prosecutions has slowed some — but not all — of the activity.

The U.S. isn’t alone. BEC losses topped $60 million last year in Australia, a 170% increase over 2017. And Canadian businesses have lost $9 million from January to May of this year, versus $6 million in all of 2018.

In addition, the FBI reports that BEC attacks result in greater losses than any kind of fraud. And last year, 80% of businesses received at least one BEC email.

This form of fraud has tripled over the last three years, leaping by 50% in the first three months of 2019, according to figures released by Symantec, the BBB adds. 

One can only conclude that most of the losses stem from employee carelessness or gullibility.

Losses are 10 times more likely to occur if the recipient opens a malicious email, the BBB states.

Increasingly, BEC emails pretend to be from a person’s boss. KnowBe4 has documented the following subject lines. (We follow their capitalization):

• request — 36%
• follow-up — 14%
• urgent/important — 12%
• Are you available, or Are you at your desk? — 10%

Most people will open such emails when they appear to come from a senior executive. And, the BBB notes that some BEC emails “really do come from the superior’s email account.”

BEC scam artists also carefully time their attacks — for example, around holidays, when more temporary employees are on board and top executives are out of the office.

According to the report, the FBI recognizes at least six kinds of attack (and we quote):

1. The CEO directing the CFO to wire money to someone.
2. Vendors or suppliers asking that invoice payment be made to a different bank account.
3. Executives requesting copies of employee tax information such as W-2 forms in the U.S. 
4. Realtors, title companies or lawyers redirecting proceeds from sales of homes or other real estate into a new account.
5. Senior employees seeking to have their pay deposited into a new bank account.
6. An employer or clergyman appealing to the recipient to buy gift cards on their behalf.

From a technical standpoint, the BBB advises companies to:

• Require multifactor authentication
• Change settings so that all emails coming from outside an organization are flagged with a warning.
• Monitor email rules use when someone else is in an account.
• Limit the number of times people can enter incorrect login information without having to contact an administrator.
• Verify changes in information about customers, employees or vendors.

Companies also should change their internal cultures:

• Confirm requests by phone before acting.
• Train all employees in internet security.