FinCEN: BEC Scams Tried to Siphon $9B Since 2016

BEC is gaining steam, accounting for billions of dollars in attempted (and successful) thefts across all manner of industries, FinCEN finds. Separately, in Lodi City, California, a BEC scam, and demand for bitcoin ransom, fizzled.

Business email compromise (BEC) attempt scams are gaining traction, targeting billions of dollars in ill-gotten gains.

To that end, the Financial Crimes Enforcement Network (FinCEN), part of the US Department of the Treasury, has estimated that fraudsters have tried to scam as much as $9 billion through business e-mail compromise attempts since 2016.

As reported by businessinsights.com, the agency has found more than 32,000 documented cases of BEC attempts during that timeframe. Taken on a daily basis, the BEC scams have tried to siphon off $8.7 million daily from companies individual victims.

The tally means that the monthly reports have a run rate of more than 1,100 as seen last year, and that’s up sharply from the less than 500 report estimated by FinCEN as of 2016. Commercial services has seen the biggest spike, from 6 percent of reported incidents to as many as 18 percent last year. The manufacturing and construction segments have seen the relatively highest percentage of BEC attempts at 25 percent.

As has been widely reported, the scams take place when fraudsters impersonate company executives or vendors through emails or text messages, or with falsified documentation that attempts to trick victims into sending money to fraudsters’ bank accounts.

“BEC scam methods have evolved over time. For example, impersonating a CEO or other high-ranking business officer accounted for 33 percent of sampled incidents in 2017, declining to 12 percent in 2018, while impersonation of an outside entity was 20 percent of 2018 reports, from an unmeasured amount in 2017. Using fraudulent vendor or client invoices grew, from 30 percent of sampled 2017 incidents, to 39 percent in 2018,” according to FinCEN.

Targeting County Governments

In terms of individual scams, in North Carolina, The Charlotte Observer reported this week that a BEC ruse targeted a $2.5 million vendor payments from the Cabarrus County government and that of that tally, $1.7 million remains missing.

As reported on the site, county officials said that the local government had intended to send those funds to a vendor based in Virginia — Branch and Associates, which is a general contractor tied to new school construction. The fraudsters posed as representatives of the company through manipulations that began last November.

“Legitimate requests to update bank account information are routine. In this case, the request to change Branch and Associates’ vendor banking information was made by conspirators. They provided county staff with new banking information, seemingly valid documentation and signed approvals. The conspirators then waited for the county to transfer the next vendor payment. After the funds were unknowingly deposited into the scammers’ account, they were diverted through multiple different accounts, the investigation revealed,” a press release said, according to the Observer.

Through a series of interactions with SunTrust bank, more than $776,000 of the $2.5 million that spanned accounts was frozen and subsequently paid to Branch & Associates.

Micky.com reported that hackers “crippled” Lodi City in California phone lines and financial systems over a period of month, and demanded $400,000 in bitcoin. The ransomware came through an invoice delivered through BEC.

The virus that was delivered through the malicious communication hit city computers.

The city refused to pay the ransom of 75 bitcoins, and instead opted to rebuild its systems, according to reports.