FBI: BEC now a $26 billion fraud, as HR payroll diversion attacks linked to same scammers

The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) estimates global ‘exposed dollar losses’ to business email compromise fraud has exceeded $26 billion in the past three years. 

The $26 billion in exposed dollar losses include both actual losses and attempted BEC fraud, which occurred over 166,349 incidents in the US and rest of the world. BEC scammers are targeting small, medium and large organizations, according to the FBI.  

Just last July the FBI declared BEC fraud a $12 billion scam reflecting worldwide exposed dollar losses between 2013 and May 2018. The agency estimated US BEC losses in 2018 alone reached $1.3 billion.  

The FBI notes that the scam has been reported in all 50 US states and 177 countries with funds transferred to accounts in at least 140 countries. 

Bank accounts in China and Hong Kong are still the main destination of fraudulent funds, however the FBI has seen an uptick in BEC fraud funds sent to the UK, Mexico and Turkey. 

US victims accounted for 69,384 of total number of reported incidents between October 2013 and July 2019 with exposed dollar losses of $10.1 billion over the period. 

There were 3,624 non-US victims in this period with exposed dollar losses totaling just over $1 billion. 

Between May 2018 and July 2019 identified global exposed losses doubled, according to the FBI, which says it was in part due to greater awareness of the fraud category and an increase in reports.

Besides high-value BEC fraud that impersonates CEOs, the FBI has seen a new category emerge around HR and payroll officers receiving emails that appear to come from employees requesting to update direct deposit details for the current pay period. 

The average loss reported in payroll diversion complaints was $7,904 and total losses between January 1, 2019 and June 30, 2019 was $8.3 million. While individual losses are relatively low compared to CEO fraud perpetrated against businesses by duping financial controllers, the FBI has tracked an 815% incense in the value of parole diversion losses in that year period.  

In this scam, phishing attackers email multiple employees with a spoofed log-in page for an email host, allowing the attackers to use credentials to send legitimate-looking direct deposit change requests. The victims pay is then directed to a criminal’s account, which is usually a prepaid card.

The FBI now classifies payroll diversion fraud as part of BEC fraud after it connected the same actors to both scam types.

“Payroll diversion schemes that include an intrusion event have been reported to the IC3 for several years. Only recently, however, have these schemes been directly connected to BEC actors through IC3 complaints,” IC3 notes. 

The FBI last September warned that phishing emails targeting employees login credentials were allowed cybercriminals to use the credentials to access the employee’s payroll account and change their bank account information.  At the time, email security firm Agari noted similar techniques in payroll diversion fraud to BEC fraud with an incentive to target employees with the highest monthly pay packets.   

The FBI recommends employees use two-factor authentication to verify requests to changes in account information, as well as undergo phishing awareness training so they're aware of URLs and links that misspell the correct domain name. 

It also advises employees to regularly check personal financial accounts for things like missing payments. Admins should also ensure employees computers allow full email extensions to be viewed as well as ensure that systems are up to date and patched. 

Australian small businesses losses to BEC fraud are also on the rise with this category of business losing 42% more to the fraud than for the whole of 2018, according to a recent report by the the Australian Competition and Consumer Commission.  

Read more: US charges Dridex banking trojan operators, offers $5m bounty

Tags two-factor authenticationBECbusiness email compromise (BEC) attacksfbi

Show Comments