BEC attacks usually target businesses or individuals that perform legitimate transfer-of-funds requests. They involve compromising the official emails account of high-ranking executives or suppliers through social engineering, phishing, or network intrusion. Once the criminals have access, they message the company’s account department requesting a large transfer of funds. As the emails come from official sources, the requests often raise no suspicion. It’s not just fund transfers that the hackers target. Employees are sometimes asked to hand over their personally identifiable details, bank account numbers, wage/tax forms, or cryptocurrency wallets, which are then used for everything from theft to identity fraud. The FBI warns that BEC scams are growing and evolving, targeting small local businesses to larger corporations and personal transactions. The uptick in incidents over the last few years is being attributed to the pandemic and more people working from home, leading to more companies conducting business remotely. The schemes made $43 billion between 2016 and 2021, and last year saw a record amount of crypto-associated BEC losses: $40 million.
BEC scams have been reported in all 50 states and 170 countries. Most of the stolen funds are transferred to banks in Thailand and Hong Kong, with China, Mexico, and Singapore the next most popular locations. The FBI advises people to turn on two-factor authentication for their email accounts to protect against BEC attacks. It also says to be wary of signs that an email may be a phishing scam (misspellings in web addresses, etc.), refrain from supplying login credentials or PII of any sort via email, and monitor financial accounts regularly for any irregularities. Back in 2018, the US Justice Department announced the arrest of 74 people, 42 in the US and 29 in Nigeria, for being involved in BEC schemes. It resulted in the seizure of nearly $2.4 million and the recovery of approximately $14 million in fraudulent wire transfers.