An FBI operation carried out in the middle of June this year has managed to bring down an international criminal organization whose main activity was a type of scam known as Business Email Compromise (BEC). The operation, known as WireWire, led to 74 arrests in seven countries, and the retrieval of 16.2 million dollars.

These figures, which come from police action against a single organization, give us a clear indicator of the sheer economic volume being moved as a consequence of this type of scam. The mechanics of the scam involve using an email to trick an employee or director with access to the company finances into making a transfer into an account supposedly belonging to a client or provider, but that in fact belongs to the cybercriminals. Unlike “basic” spam, BEC scams use more sophisticated techniques, such as spear-phishing, social engineering, malware, or identity theft, to disguise the fraudulent nature of these emails.

The most lucrative crime of 2017

The FBI’s own annual figures show us that BEC scams are experiencing an unstoppable boom in terms of economic impact. According to the FBI’s latest Internet Crime Report (IC3), this criminal activity, along with Email Account Compromise (EAC) scams – similar in nature, but targeting personal email accounts – accounted for losses of over 676 million dollars just in the USA. This economic impact is almost double the more than 360 million dollars recorded in the 2016 version of the same report, and once more accounts for the highest economic impact of any crime committed in the country.

This means that, in spite of its success, Operation WireWire is just a drop in the ocean compared to the astonishing turnover that this kind of online scam generates.  The FBI’s latest IC3 report also serves to underline how, despite these unprecedented economic figures, only 15,690 reported cases have been recorded in the past year. This puts BEC and EAC scams tenth on the list of the number of cases per type of crime.  From this we can deduce that the amounts that are being transferred into cybercriminals’ bank accounts are generally very sizeable, which should set alarm bells ringing about how well disguised these fraudulent emails are.

How your company can tackle BEC scams

Now that we’ve found out more about the terrible threat that we’re facing, let’s have a look at the ways in which companies can tackle potential cases of BEC scams.   Given that we’re talking about operations related to the company finances, it’s of utmost importance to check as many times as necessary that the email and its sender are legitimate.   This is why it’s always a good idea to use other channels, such as a phone call, to double check that the person we’re dealing with is real, and that the payment has been authorized by the company.

This mechanism is an absolute must for everyone in the company. This means that it is important for employees to be aware of BEC scams and to know how to act when they receive an email like this.  Even the slightest human error can cause irreparable damage to the finances, reputation, and running of the company. As well as knowing how to detect possible scams, employees also need to know what procedure to follow when reporting potential attacks to the cybersecurity department. This department will be better prepared not only to mitigate the threat, but also to prevent possible cases in the future.

From a technical standpoint, it’s also vital to make sure that the process of making a bank transfer includes two factor authentication methods. Moreover, given that many of these emails contain malware, it’s vital to have an advanced cybersecurity solution on all the company’s computers. One that is able to detect BEC scams in real time and take action against them and any other cyberthreats that could try to infringe on your company’s interests. Our cyber security suite, Panda Adaptive Defense, uses cognitive intelligence to warn you of any attempted email scams that may be beyond human perception.  Although these scams are becoming more and more sophisticated, Panda Adaptive Defense is able to stay ahead of cybercriminals, helping you to avoid losses that could have serious consequences for your clients’ accounts.