Business Email Compromise and Email Account Compromise Scams

As hard as it may be for the previous generation to remember and the current generation to imagine, once upon a time invoices were typed out or even written by hand and then mailed by merchants to customers. In response, customers wrote out checks or paid their banks to issue a cashier’s check, which they then mailed back to their suppliers. That was the process for everyone, from individuals to large corporations. Sounds rather primitive today, but back then there simply was no alternative to the postage stamp.

Computerization, automation, PayPal, smartphone apps, electronic payments, and email have rendered all that a thing of the past. And in so doing they created a niche for scammers that became known as business email compromise (BEC) or email account compromise (EAC) scams. BEC/EAC scams have grown exponentially over the years and are now regarded as something of a plague. One of the reasons why is that they’re relatively simple to initiate, they require very few advanced skills to operate and they can be hard to spot.

How Does a BEC/EAC Scam Work?

The scammer first does as much research as possible on two target companies: the prospective merchant and the prospective customer. That’s not particularly difficult to do. Business and industry news sites regularly report sales of equipment by manufacturers to large corporations. If the scammer targets a small local merchant instead, he can simply visit in person and see check out himself what equipment the potential victim may be installing or what’s new on the shelf. But even that may be beyond what’s necessary. Every business buys computers, installs Windows, requires telephones and a PBX, fax machines, routers, and plenty of other communications equipment. Supermarkets require shopping carts. Oil refineries require pipes and storage tanks. Airlines require jet fuel. When such commodities are bought in bulk, a legitimate invoice will easily reach tens of thousands of dollars. 

Sophisticated scammers employ malware to hack into the computer networks of billing departments in order to obtain lists of real customers. Those who don’t have access to such advanced technology can always call whatever victim they want to target, introduce themselves as a supplier and ask who they should send the invoice to.

Once they harvest that minimal amount of information, scammers will spoof email invoices from the targeted merchant and send them to the targeted customers. Of course, those fake invoices request payment electronically to accounts the scammers control. Not the real bank accounts of the real suppliers. To lend an aura of legitimacy, the scammers may attach an email to the corporate official who must approve the invoice. And they’ll send it in the name of an authentic contact. Even if, say, one out of every 10 spoofed invoices are paid, that’s still big money.

How Big a Problem Is It?  

Statistics compiled by the Federal Bureau of Investigation (FBI), BEC/EAC scams targeting U.S. businesses netted $675 million in 2017. In 2018 losses reached an estimated $1.2 billion. But BEC/EAC scams, of course, are an international problem that can strike anywhere. Worldwide loses may now be somewhere between $3 to $5 billion.

And there is every reason to assume that this sum will continue to rise. That is because BEC/EAC scams are difficult to detect at first. After all, the emails that deliver these phony invoices tend to come from (compromised) legitimate accounts, which people naturally trust.

If you think you’ve been the victim of a BEC/EAC scam, contact the fund recovery experts at MyChargeBack