In 2017, BEC (business email compromise) scams were the most lucrative tactic used by cybercriminals, with losses of over 650 million dollars in the USA alone. And last year, this money making scam continued to grow relentlessly. According to the FBI’s IC3 (Internet Crime Complaint Center) report the losses caused by BEC reached $1.2 billion, almost double the previous year. Nevertheless, BEC scams were sixth on the list of crimes by number of victim. From this we can see that the sums transferred to the cybercriminals’ bank accounts are, generally speaking, large.
A church in the US: another victim of this scam
Towards the end of April this year, the catholic church of St. Ambrose in Brunswick, Ohio, reported that it had fallen victim to a million dollar BEC scam. This time, the cybercriminals made off with $1.75 million.
The parish is currently working with a construction company to restore the church. The FBI believes that hackers managed to trick the church into believing that the construction company had changed bank accounts; as a result, the church sent a large sum of money to this fraudulent account. The cybercriminals swiftly proceeded to transfer the money to a third account, “before anyone knew what had happened,” said Father Bob Stec.
According to Stec, the criminals managed to access two church employees’ email accounts to make the scam more believable. The church was made aware of the fraud when the construction company contacted them about two unpaid bills totaling $1.75 million.
The church is now working with the FBI and its insurer to try to recover the stolen funds.
Large companies can’t escape BEC scams either
It’s not just small organizations that can fall prey to this kind of scam. In March, a Lithuanian man pleaded guilty to having organized a scam in which Facebook and Google lost a total of $122 million.
The successful scam was based on a company set up in Latvia with the same name as a manufacturer of data center hardware used by the two tech giants. This way, the scammer tricked Facebook into transferring $99 million, and Google into transferring $23 million.
Evaldas Rimasauskas, the man behind the scam, now faces a maximum jail sentence of 50 years.
How to protect yourself against BEC scams
The case of Google and Facebook goes to show that even the most important tech companies in the world, which should, in theory, be aware of this kind of danger, can fall into the traps laid by cybercrime. It is therefore vital that organizations, regardless of their size, know how to identify a BEC scam.
The most important thing, given that we’re talking about operations related to the company finances, it’s of utmost importance to check as many times as necessary that the email and its sender are legitimate. This is why it’s always a good idea to use several channels, such as a phone call, to double check that the person we’re dealing with is real, and that the payment has been authorized by the company.
The two cases that we’ve seen have one thing in common: human error. The slightest slip-up can have irreparable consequences for a company. As such, a vital step is to make sure that all employees are aware of BEC scams and how they should act if they receive an email of this kind. As well as knowing how to identify this kind of email, they need to know the procedure to follow when it comes to notifying the cybersecurity department of an attack. This way, the cybersecurity team will be better prepared to mitigate the threat and to prevent other cases in the future.
In order to secure bank transfers, it is important to include two-factor authentication in the process. While this protection method is far from perfect, it does add another layer of security to an important process. Moreover, given that many of these emails contain malware, it’s vital to have an advanced cybersecurity solution on all the company’s computers. One that is able to detect any cyberthreats that could try to infringe on your company’s interests in real time, and take action against them.
It is clear that this kind of scam is not going to stop growing any time soon. This is why it is vital to do as much as possible to make sure your company is not the next victim.