Report: Average BEC Attacks per Month Increased by 120% From 2016 to 2018

The total amount cybercriminals attempted to steal via business email compromise (BEC) scams rose to an alarming average of US$301 million per month — a substantial increase from the US$110 million monthly average that was tracked in 2016. This is according to a report by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN). In addition, the number of suspicious activity reports involving BEC rose from roughly 500 per month in 2016 to over 1,000 in 2018. The report mirrors the Federal Bureau of Investigation’s (FBI) announcement that global accumulated losses due to BEC scams had already exceeded US$12 billion as of 2018, more than double the US$5.3 billion total reported in December 2016.

[READ: How Machine Learning in Security Solutions Can Help the Fight Against BEC]

Changing methods as awareness grows

As awareness of the scam grows, the methods used by BEC threat actors have also changed accordingly. The previously most prevalent technique used by scammers, impersonating the president or CEO of a company or CEO fraud, declined from 33% in 2017 to 12% in 2018. In contrast, the use of fake client invoices grew from 30% to 39% year-on-year from 2017 to 2018. BEC threat actors have also started impersonating individuals outside the organization, with such reports accounting for 20%. These typically involved a realtor representing a real estate transaction. Trend Micro has reported on how the real estate industry, where the exchange of funds between multiple parties is common, has become a hotspot for BEC scammers.

Targeted industries

According to FinCEN’s findings, manufacturing and construction was the top targeted industry for both 2017 and 2018, accounting for 20% of all tracked BEC attempts in 2017 and 25% in 2018. One possible reason for the large percentage of manufacturing and construction businesses being targeted by BEC attacks is that 33% of the companies in the industry have regular transactions with foreign suppliers, which often require wire transfer payments.

Commercial services, which include retail and restaurant businesses, had the most significant increase, rising from 6% in 2017 to 17% in 2018. On the other hand, financial services dropped from 16% to 9%. However, 50% of BEC scams targeting financial firms impersonated the CEO or president.

The type of industry targeted was also dependent on the region. For example, financial organizations were the primary targets in New York, while manufacturing and construction firms were on top in Texas.

[READ: The notable BEC attacks of 2018]

Defending against BEC attacks

One of the reasons why BEC remains a popular scam is that it doesn’t require sophisticated tools — social engineering and a convincing ruse can often be enough to trick even the most wary business executive.

To prevent companies from falling for BEC attacks, both company personnel and business partners must make a concerted effort to practice prudence as well as raise security awareness within the organization. These are some best practices to apply:

  • Fund transfer and payment requests, especially those that involve large amounts, should always be verified, preferably by contacting the supplier via a phone call and confirming the transaction. If possible, a secondary sign-off should also be done by someone higher up in the organization.
  • Look for red flags when it comes to business transactions. For example, a change in bank account information with no prior notice is a red flag and a possible sign of a BEC attempt.
  • BEC threat actors try to masquerade as a member of, or at least as an individual connected with, the organization. Employees should always scrutinize received emails for any suspicious elements — for example, the use of unusual domains or changes in email signatures.

Furthermore, enterprises can also consider using a security technology designed to fight against BEC scams, such as Writing Style DNA, which is used by Trend Micro Cloud App Security and ScanMail™ Suite for Microsoft® Exchange™. It can help detect email impersonation tactics used in BEC and similar scams. It uses artificial intelligence (AI) to recognize the DNA of a user’s writing style based on past emails and then compares it to suspected forgeries. The technology verifies the legitimacy of the email content’s writing style through a machine learning model that contains the legitimate email sender’s writing characteristics.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.