Business Email Compromise Scams and Email Account Compromise Scams

Business email compromise scams and email account compromise scams didn’t exist a generation ago.

As hard as it may be for the previous generation to remember and the current generation to imagine, once upon a time invoices were typed out or even written by hand and then mailed by merchants to customers. In response, customers wrote out checks or paid their banks to issue a cashier’s check, which they then mailed back to their suppliers. That was the process for everyone, from individuals to large corporations. Sounds rather primitive today, but back then there simply was no alternative to the postage stamp. Today, victims of business email compromise scams and email account compromise scams (BEC/EAC) may prefer the postage stamp.

Computerization, automation, PayPal, smartphones, payment apps, electronic payments, and email have rendered all that a thing of the past. And in so doing they created a niche for scammers that became known as business email compromise scams and email account compromise scams. BEC/EAC scams have grown exponentially over the years and are now regarded as something of a plague. One of the reasons why is that they’re relatively simple to initiate, they require very few advanced skills to operate and they can be hard to spot.

How Do Business Email Compromise and Email Account Compromise Scams Work?

The scammer first does as much research as possible on two target companies: the prospective merchant and the prospective customer. That’s not particularly difficult to do. Business and industry news sites regularly report sales of equipment by manufacturers to large corporations. If the scammer targets a small local merchant instead, he can simply visit in person and check out himself what equipment the potential victim may be installing or what’s new on the shelf. But even that may be beyond what’s necessary. Every business buys computers, installs Windows, requires telephones and a PBX, routers, and plenty of other communications equipment. Supermarkets require shopping carts. Oil refineries require pipes and storage tanks. Airlines require jet fuel. When such commodities are bought in bulk, a legitimate invoice will easily reach tens of thousands of dollars, if not appreciably more. 

Sophisticated scammers use malware to hack into the computer networks of billing departments in order to obtain lists of real customers. Those who don’t have access to such advanced technology can always call whatever employee they want to target, introduce themselves as a supplier and ask who they should send the invoice to.

Once they harvest that minimal amount of information, scammers will spoof email invoices from the targeted merchant and send them to the targeted customers. Of course, those fake invoices request payment electronically to accounts the scammers control. Not the real bank accounts of the real suppliers. To lend an aura of legitimacy, the scammers may attach an email to the corporate official who must approve the invoice. And they’ll send it in the name of an authentic contact. Even if, say, one out of every 10 spoofed invoices are paid, that’s still big money. Business email compromise and email account compromise scams are a big business.

How Big of a Problem Is It?  

Statistics compiled by the Federal Bureau of Investigation (FBI) show that, business email compromise scams and email account compromise scams targeting U.S. businesses netted $675 million in 2017. In 2018 losses reached an estimated $1.2 billion, and in 2019 over $1.7 billion.  The average loss per company was $72,000 in 2019. Moreover, the FBI’s Internet Crime Complaint Center (IC3) calculated that since 2013, total domestic and international losses to BEC/EAC scams were $26,201,775,589.

That threat posed by BEC/EAC scams is only getting worse. In the two-month period between April and May 2000, BEC/EAC scams increased by a whopping 200 percent. One such BEC/EAC scam alone netted $15 million. Another worrying sign that demonstrates the phenomenon’s growth is that corporate ransomware payments jumped by 33 percent in the first quarter of 2000

BEC/EAC scams, of course, are an international problem that has now struck at least 177 countries and has affected diverse  industries and government agencies. In February 2020, for example, three employees of agencies of the government of Puerto Rico were suspended for negligence in transferring over $4 million to BEC/EAC scammers. In September 2019,  the U.S. subsidiary of Nikkei, the largest financial media conglomerate in Japan, was similarly scammed out of $29 million. And earlier that year, a large Ohio church lost $1.75 million after email accounts belonging to two of its employees were hijacked.

One of the primary purveyors of BEC/EAC scams is a Russian-based outfit known as Cosmic Linx. It is demanding an average of $1.27 million per attack. The general assumption is that it is succeeding because it operates without interference by Russian authorities, who do not want to establish a precedent that would enable Western countries to bring Russian cybercriminals to justice in Western courts. 

And there is every reason to assume that the monetary losses will continue to rise. That is because BEC/EAC scams are difficult to detect at first. After all, the emails that deliver these phony invoices tend to come from (compromised) legitimate accounts, which people naturally trust.

If you think you’ve been the victim of a BEC/EAC scam, contact the fund recovery experts at MyChargeBack