BEC scams are a hugely popular cybercriminal vector. In this scam, the attackers pose as another person, generally speaking with some authority in the company—the boss, the CEO, or even a client—in order to trick an employee into making a fraudulent bank transfer. For cybercriminals, BEC scams are a hugely profitable business: they are relatively easy to carry out, and can generate large sums of money.

According to the Financial Crimes Enforcement Network (FinCEN), this cybercrime, along with the amount of money that it generates, increases every year. In fact, in its latest report, it reveals that, last year, the amount of money generated by this scam reached $301 million a month, or $3.6 billion per year.

A scam with a wide range of victims

Along with this data, the FinCEN report compiles other information about BEC scams, such as the kind of company that most often falls victim to this crime.

This year, the manufacturing and construction industries are the most common victims, with 25% of cases. 18% of victims are from the commercial services industry, while the percentage of victims from the financial sector has fallen from 16% to 9% this year.

Victims of BEC scams (Source: FinCEN)

One reason for this reduction could be the efforts made by financial institutions to reinforce their cybersecurity, along with the abundance of information available to make employees in this industry aware of the cyberthreats to which they are exposed.

Methods are changing

In 2017, the most popular tactic for cybercriminals to carry out BEC scams was to pose as the company CEO (33% of cases) to request illicit transfers, taking advantage of the fact that no one wants to say no to the CEO. However, in 2018 cybercriminals switched up their tactics; only 12% of cases opted for this method.

Last year, the most popular form of identity fraud was to pretend to be a client sending a false invoice. These false invoices made up 39% of cases. If we look at the amounts of money that were stolen, it is easy to see why this shift occurred. While the CEO fraud earned an average of $50,373, a fake invoice netted cybercriminals $125,439.

We saw an extreme example of this in Lithuania. A man managed to defraud $123 million from Google and Facebook by sending them fake invoices from a hardware vendor that he had invented.

Malware facilitates BEC scams

Although the instructions for how to send the money, along with the social engineering aspect of the attack, are carried out by email, malware is still an integral part of the game. The messages need to be believable and to come from real addresses, or at least addresses that seem real. To this end, cyberattackers employ spyware to steal sensitive information or credentials. This information is then used to create emails that are believable both in form and content, which can convince the victims that the request is legitimate.

What can we do to stop BEC scams?

As we’ve seen, these scams move a staggering amount of money. To avoid the vast economic losses that this kind of incident can cause in a company, it is important to follow a few tips.

The first is to adopt a Zero trust approach. This means not trusting anything that seems out of the ordinary. If you have even the slightest doubt about the legitimacy of an email, you must never reply and, most importantly, must never make a bank transfer. If you’re not sure, report it to the IT department.

This posture can also stop the company from being affected by spyware, which could be used to initiate a BEC scam. Attachments that come from unknown senders or within suspicious emails must never be opened.

It is also vital to protect the company’s network against any possible intrusion. Panda Adaptive Defense constantly monitors all activity on the network. This way, you can be sure that neither spyware nor any other kind of advanced threat will endanger your organization.

The amount of money that BEC scams shift has tripled since 2016, and this trend will doubtless continue to grow. For this reason, it is now more important than ever to make sure that you don’t become the next victim of this crime.