Whatever numbers you look at, business email compromise (BEC) scams have become a massive industry over the past five years.
The scam earns a small group of criminals hundreds of millions each month through trickery, often without the aid of malware or exploits for software vulnerabilities.
The FBI estimates that email scammers have conned businesses globally out of $12 billion in payments over the past five years that were wired, often in large sums, to fraudster-controlled accounts.
In the US, financial crimes authority FinCEN recently reported that victim businesses are wiring about $300 million a month to scammers, usually to US bank accounts controlled by money mules, who then forward the funds onwards and out to foreign bank accounts.
BEC scams typically involve fabricated payment instructions purported to come from a senior executive of a company or from a business partner or supplier. In some cases, email accounts have been hacked or spoofed, but other attacks rely purely on social engineering.
The Australian Criminal Intelligence Commission’s (ACIC) latest figures on the crime category suggest there were only hundreds of BEC victims. But those figures were from the 2016-2017 financial year.
The Australian Competition and Consumer Commission more recently estimated financial losses of $7.2 million last year due to BEC fraud, which is far less than losses due to investment and dating scams.
The FBI, FinCEN, ACIC, and others base their numbers on different sets of data. FinCEN’s numbers are derived from reports filed by US financial institutions and suggest the problem is worse than FBI estimates, which are based on reports to it and other law enforcement agencies.
FinCEN’s estimate of $300 million per month in US losses in 2018 are significantly higher than the annual $1.3 billion in 2018 losses estimated by the FBI.
Another way of looking at the problem is exposure to BEC emails. And, according to security firm Symantec, on this count Australia is one of the most exposed to the fraud.
Australia, which has about 25 million residents, is outside the top 50 countries by population. But it’s also a relatively wealthy, English-speaking nation. This could help explain why Symantec found that Australian businesses were the third most-targeted in the year between July 2018 to June 2019.
Symantec’s telemetry data indicates that just over 6,000 organizations were targeted by BEC emails each month over the year. The ones it counts were blocked by Symantec. The company blocked the same amount last year, despite FBI and FinCEN figures suggesting victim numbers actually doubled over the past year.
But the figure that stands out from Australia’s perspective is that blocked BEC email to Australian targets accounted for 11 percent of the 6,000 organizations — only behind the US and UK, which accounted for 39 percent and 26 percent, respectively.
All other countries accounted for 3 percent or less of BEC email. A Symantec notes: “Belgium (3 percent), Germany (3 percent), Canada (2 percent), the Netherlands (2 percent), Hong Kong (2 percent), Singapore (2 percent), and Japan (1 percent).”
There were differences in the approach scammers took to different countries. For Australian recipients, scammers used “Payment” in the subject line, whereas in the UK and US, it was “Important”. In Japan it was “Your receipt from Apple”, while in Belgium scammers used the local phrase for “You are entitled to a lower energy bill in 2018!”
Scammers also are tending towards free web accounts to carry out the fraud, using services like Gmail, AOL, Yahoo! And Hotmail.
The top theme include requests to buy Apple iTunes and Amazon gift cards, update salary and direct deposit details, and requests for personal and work mobile numbers.
Other tell-tale signs of an attack in the works are: questions about the same-day wire payment process.; the international transfer limit; vendor payment setup processes; supposed salary queries; and urgent payments while the victim is in a conference.