Business E-mail Compromise Scams Cost Businesses Billions of Dollars

It’s a sophisticated scam that can result in quick, devastating losses for companies, and businesses in Utah, Idaho, and Montana are not immune.

In fact, complaints about business e-mail compromise, or BEC, come in weekly to the Salt Lake City Field Office, according to Special Agent Mark Roberts, who works on the cyber squad.

BEC scams involves the compromise of legitimate business and e-mail accounts—often belonging to the either the chief executive officer or the chief financial officer—for the purpose of conducting unauthorized wire transfers. After compromising a company’s e-mail account—usually through social engineering or malware—the criminals are then able to send wire transfer instructions using the victim’s e-mail or a spoofed e-mail account.

“The criminals will usually pose as someone high up in the company such as the CFO or CEO, and it almost always happens when that person is out of town,” Roberts said. BEC scams are a growing, significant cyber threat, one of several the FBI is highlighting in October, designated as National Cyber Security Awareness Month by the Department of Homeland Security.

BEC scams have been reported in all 50 states and 100 countries. According to the FBI’s Internet Crime Complaint Center (IC3), which has tracked BEC scams since 2013, there were 22,143 domestic and international victims with combined dollar losses of more than $3 billion.

“The payoff is so large compared to most online scams because they’re not targeting individuals, but medium-to-large companies,” Roberts said.

In most cases, the scammers compromise the legitimate business e-mail accounts through social engineering or malware and conduct reconnaissance to review the business’s legitimate e-mail communication and travel schedules.

“Companies need to be wary of requests from company individuals when they’re out of town,” Roberts said. “Those wire transfers need to be scrutinized and need to have a verification process.”

Roberts said businesses that have been victimized need to act quickly. They should call their financial institution immediately and report the crime to the FBI.