FBI, BBB Sound Another Business Email Compromise Alarm

Three Kenya-based online scammers are reportedly headed to sentencing after allegedly stealing $3 million from U.S. companies via the Business Email Compromise scam, reports in The East African said last week.

The U.S. Federal Bureau of Investigation (FBI) was deployed to Kenya to investigate the matter after accounts payable department professionals for Fairfax County, Virginia received an email claiming to be from Dell Computers, requesting that the county reroute pending payments to a different, Ohio-based account. At the time, reports said, the county was operating a computer supply deal for its schools, so county officials believed the email to be valid.

Between Aug. 8 and Sept. 10 last year, the county paid more than $1.3 million to that Ohio account via 28 payments.

When Fairfax County discovered it was being defrauded, the FBI launched Operation reWired to capture the online fraudsters. The FBI revealed earlier this month that the operation led to arrests and the seizure of millions of dollars.

“The FBI is working every day to disrupt and dismantle the criminal enterprises that target our businesses and our citizens,” said FBI Director Christopher Wray in a statement announcing the results of Operation reWired. “Through Operation reWired, we are sending a clear message to the criminals who orchestrate these Business Email Compromise schemes that ‘I will keep coming after you, no matter where you are.’”

“The effects of this crime are far-reaching, and the dollar amounts involved are staggering,” he added.

The FBI has been vocal in recent years about the growing threat and subsequent damages linked to the Business Email Compromise (BEC) scam, which targets accounts payable departments in an attempt to steal company cash. The Better Business Bureau has similarly issued warnings of the threat, recently publishing a paper, “Is That Email Really From ‘The Boss’? The Explosion Of Business Email Compromise Scams,” highlighting the cyberscam.

Below, PYMNTS breaks down the numbers from the FBI’s latest case, the BBB’s recent research, and other cases that spotlight the ever-growing threat of the BEC scam.

$3.7 million was seized by the FBI during Operation reWired, according to the FBI’s announcement. The operation also reportedly led to the recovery of about $118 million in fraudulent wire transfers linked to BEC scams. In all, 281 suspects were arrested from nine countries, including the U.S., while 167 of those arrests occurred in Nigeria.

Nearly $1.3 billion in losses have been reported related to BEC scams, the FBI noted, pointing to data from the Internet Crime Complaint Center, adding that nearly twice as many BEC-related complaints were filed in 2018 than in 2017.

80 percent of businesses have received at least one kind of BEC scam email last year, the BBB said in its latest report, noting that average BEC losses involving fraudulent wire transfers top $35,000. Organizations are also losing funds to fraudulent requests for gift cards, with the average gift card loss between $1,000 and $2,000.

90 percent of BEC scammers operate out of Nigeria, the BBB said, a timely finding considering the FBI’s recently announcement on its operations in the country. These crime rings often use free trials of lead generation services to obtain the email contacts of professionals within an organization as well as their job titles. They then create a fake email address that looks similar to a real professional’s to request funds. Other forms of the scam involve an infiltration of company email servers to identify potential transactions to exploit.

212 minutes: the average time it takes an organization to remediate an email phishing attack like the BEC, new data from Barracuda Networks said last week. In a blog post, the cybersecurity company warned that 11 percent of firms spend more than six hours investigating and remediating an attack. If a BEC scam is successful, however, a company can spend far longer attempting to recover funds, often an unsuccessful effort.