Business Email Compromise

Business email compromise is simple to initiate and can be hard to spot.

As hard as it may be for the previous generation to remember and the current generation to imagine, once upon a time invoices were typed out or even written by hand and then mailed by merchants to customers. In response, customers wrote out checks or paid their banks to issue a cashier’s check, which they then mailed back to their suppliers. That was the process for everyone, from individuals to large corporations. Sounds rather primitive today, but back then there simply was no alternative to the postage stamp. Today, victims of business email compromise (BEC, also known as email account compromise, or EAC) may prefer the postage stamp.

What is business email compromise?

Computerization, automation, PayPal, smartphones, payment apps, electronic payments, and email have rendered all that a thing of the past. And in so doing they created a niche for criminals operating business email compromise scams. BEC scams have grown exponentially over the years and are now regarded as something of a plague. One of the reasons why is that they’re relatively simple to initiate, they require very few advanced skills to operate and they can be hard to spot.

How Does Business Email Compromise Work?

The scammer first does as much research as possible on two target companies: the prospective merchant and the prospective customer. That’s not particularly difficult to do. Business and industry news sites regularly report sales of equipment by manufacturers to large corporations. If the scammer targets a small local merchant instead, he can simply visit in person and check out himself what equipment the potential victim may be installing or what’s new on the shelf. But even that may be beyond what’s necessary. Every business buys computers, installs Windows, requires telephones and a PBX, routers, and plenty of other communications equipment. Supermarkets require shopping carts. Oil refineries require pipes and storage tanks. Airlines require jet fuel. When such commodities are bought in bulk, a legitimate invoice will easily reach tens of thousands of dollars, if not appreciably more. 

Sophisticated scammers use malware to hack into the computer networks of billing departments in order to obtain lists of real customers. Those who don’t have access to such advanced technology can always call whatever employee they want to target, introduce themselves as a supplier and ask who they should send the invoice to.

Once they harvest that minimal amount of information, scammers will spoof email invoices from the targeted merchant and send them to the targeted customers. Of course, those fake invoices request payment electronically to accounts the scammers control. Not the real bank accounts of the real suppliers. To lend an aura of legitimacy, the scammers may attach an email to the corporate official who must approve the invoice. And they’ll send it in the name of an authentic contact. Even if, say, one out of every 10 spoofed invoices are paid, that’s still big money. Business email compromise scams are a big business.

Business Email Compromise Loses  

Statistics compiled by the Federal Bureau of Investigation (FBI) show that, business email compromise loses in the U.S. netted $675 million in 2017. In 2018 business email compromise losses reached an estimated $1.2 billion, and in 2019 over $1.7 billion.  The average loss per company was $72,000 in 2019. Moreover, the FBI’s Internet Crime Complaint Center (IC3) calculated that since 2013, total domestic and international business email compromise losses were $26,201,775,589.

That threat posed by BEC scams is only getting worse. In the two-month period between April and May 2000, BEC scams increased by a whopping 200 percent. One such BEC scam alone netted $15 million. Another worrying sign that demonstrates the phenomenon’s growth is that corporate ransomware payments jumped by 33 percent in the first quarter of 2000. 

BEC scams, of course, are an international problem that has now struck at least 177 countries and has affected diverse  industries and government agencies. In February 2020, for example, three employees of agencies of the government of Puerto Rico were suspended for negligence in transferring over $4 million to BEC scammers. In September 2019,  the U.S. subsidiary of Nikkei, the largest financial media conglomerate in Japan, was similarly scammed out of $29 million. And earlier that year, a large Ohio church lost $1.75 million after email accounts belonging to two of its employees were hijacked.

One of the primary purveyors of BEC scams is a Russian-based outfit known as Cosmic Linx. It is demanding an average of $1.27 million per attack. The general assumption is that it is succeeding because it operates without interference by Russian authorities, who do not want to establish a precedent that would enable Western countries to bring Russian cybercriminals to justice in Western courts. 

And there is every reason to assume that the monetary losses will continue to rise. That is because business email compromise is difficult to detect at first. After all, the emails that deliver these phony invoices tend to come from (compromised) legitimate accounts, which people naturally trust.

If you think you’ve been the victim of a BEC scam, contact the fund recovery experts at MyChargeBack