How Serious is BEC Attack?

One of the BEC examples is the impersonation of a colleague. (Source: Tessian.com)

BEC was not considered a global threat until 2013 when the IC3 (Internet Crime Complaint Centre, founded in 2000) received massive complaints and issues about them. It was reported from 2013 to 2014 that the total number of BEC victims in the U.S. and 45 countries are 2,226 with a combined money loss of US$214,972,503.30.

From May 2018 to June 2019, there was a 100% increase in total global fraud from BEC. Since the IC3 started counting, there has been a total money loss of US$26.2 billion with victims from all 50 states in the U.S. and in 177 countries. No wonder the FBI has named BEC a “US$26 billion scam”. In 2020, the IC3 observed an increase in the number of BEC complaints related to the use of identity theft and funds being converted to cryptocurrency.

There are several top BEC cases, such as:

• Facebook and Google: US$121m BEC scam

It was dubbed the biggest BEC scam of all time. The attacker Evaldas Rimasauskas and associates set up a fake company named “Quanta Computer” (the same name as the real hardware supplier) which sent fake invoices, contracts, and letters, and billed them for millions of dollars in 2013-2015. The documents were legitimate-looking enough that Google and Facebook wired money to accounts. 

• Ubiquiti: US$46.7m vendor fraud

In August 2015, IT company Ubiquiti became the victim of US$46.7 million due to the scammers who impersonated employees at a third-party company (vendor) and targeted Ubiquiti’s finance department.

• Toyota: US$37 million BEC attack

In 2019, Japan’s Toyota Boshoku Corporation, a supplier of auto parts, was a victim of US$37 million. The attackers tricked and persuaded an executive of the finance department to make a wire transfer.

• Government of Puerto Rico, 2019-2020

In early 2020, while dealing with the aftermath of the earthquake, the government fell victim to BEC attacks when Ruben Rivera, finance director of Puerto Rico’s Industrial Development Company mistakenly transferred over US$2.6 million to a fraudulent bank account. He had received an email about the changing bank account tied to remittance payments. Fortunately, the money which included public pension funds was frozen by the FBI.

How to prevent Business Email Compromise Scams

BEC scams are hard to stop because it needs internal context to know if the email is legit or not. Several tips from FBI to guard against BEC, such as:

• Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
• Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
• Be careful what you download. Never open an email attachment from someone you don’t know, and be wary of email attachments forwarded to you.
• Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
• Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in an account number or payment procedures with the person making the request.
• Be especially wary if the requestor is pressing you to act quickly.

To increase security safety in your company, use cybersecurity solutions that give email protection that leverages internal context, AI, and a trusted reputation network unique to a company and can prevent BEC attacks such as Avanan. 

In fact, here’s how Avanan prevents organisations from BEC:

1. Machine learning algorithms combine with role-based, contextual analysis of previous conversations to identify threats that Google, Microsoft and external mail gateways miss,
2. Deployment-day analysis of one-year’s email conversations to build a trusted reputation network,
3. Scanning and quarantine of internal email and files in real-time, protecting against east-west attacks and insider threats,
4. AI and machine learning techniques to rapidly adapt to new threats and behaviours,
5. Account takeover protection beyond email: login events, configuration changes and end user activities throughout the suite.

ArmourZero provides Email Protection as-a-Service powered by Avanan, the best breed of Email Security Solutions, with only US$6.00/user/month or US$60/user/year we are able to prevent delivery of malicious emails to inbox, protect Microsoft 365 and Google Workspace email, account takeover prevention, etc. Book your demo now.