Crossing Boundaries: The Expansive Threat of BEC
“For five years in a row, BEC is responsible for the most financial losses reported to the FBI. We have no reason to believe that 2021 will be any different.” - Agari, 2021
As the industry rebounds from a challenging year, new reports are clarifying the nature and scope of financial crime trends during the COVID-19 pandemic and the opportunities presented to fraudsters.
According to the Internet Crime Complaint Center (IC3), chief among the challenges during 2020 was Business Email Compromise (BEC) — a source of major losses since 2016 that persists as a growing threat with far-reaching implications. With domestic and international perpetrators threatening financial and reputational damage for institutions, it is essential to consider how BEC is evolving, and approaches to take decisive action.
BEC Behind Massive Losses
In their 2020 Internet Crime Report, the IC3 attributed over $1.8B in losses to BEC — the costliest scam to the American public that year, representing approximately 44% of all reported losses. The massive toll of BEC has been exacerbated by criminals deploying new typologies such as capital cost scams, cryptocurrency scams and payroll diversions, while migrating activities outside common countries of origin. According to Agari’s Cyber Intelligence Division (ACID), increased scrutiny from law enforcement has compelled criminals to launch BEC attacks from across the globe; they estimate that BEC actors are now located in 50 countries, with 25% being U.S.-based.
In one criminal case currently before the U.S. Attorney’s Office, authorities extradited and charged an individual for allegedly orchestrating a massive BEC effort spanning America, Africa and the Middle East, “alleging he conspired to launder hundreds of millions of dollars from business email compromise (BEC) frauds and other scams.”
Evolving Scam Tactics
BEC schemes are one of the most difficult cybercrimes we encounter as they typically involve a coordinated group of con artists scattered around the world who have experience with computer hacking and exploiting the international financial system.Nick Hanna, U.S. Attorney
According to ACID, the global reach of cybercrime is spreading as criminals grow increasingly sophisticated, as do their approaches to BEC. In an emerging and lucrative BEC tactic, fraudsters are now exploiting capital call investment payments, posing as representatives from a legitimate firm and requesting a fund transfer for investment commitments. If successful, losses can be significant, at an average of $809K.
Meanwhile, BEC schemes involving cryptocurrency are on the rise. Popularized by speed and anonymity, the IC3 observed a surge in cryptocurrency-related BEC in 2020 with losses estimated at over $10M.
The second half of 2020 also saw criminals return to a tried-and-true BEC approach — payroll diversion. Instances of fraudsters attempting to redirect salary payments increased significantly, by 333% from July-December 2020; with 57% of American employees distracted by working from home, “threat actors appear to be finding plentiful targets for a new wave of socially-engineered email threats that could cost companies plenty.”
Notorious BEC Group Returns
After a period of inactivity, the cybercriminal group Cosmic Lynx are once again launching BEC attacks. Notorious for high-value attempts against large, multinational companies with requests averaging a massive $1.27M, the group has returned with refined tactics and a tendency to leverage messaging around COVID-19 vaccinations. Since January 2021, ACID has detected 43 BEC campaigns associated with Cosmic Lynx targeting professionals in 19 countries.
Considerations for Financial Institutions
Wire and ACH transfers are often high value, and the funds may be impossible to recall once released to the Federal Reserve. Financial institutions need robust solutions to detect fraudulent activity and prevent loss in real time.
With Verafin’s ACH Fraud and Wire Fraud solutions, you can stop suspicious transactions in real time, before funds leave your institution. By analyzing wire and ACH payments made by customers at financial institutions across the Cloud, Verafin provides added confidence that receiving accounts have a trusted transaction history.
As criminals grow increasingly sophisticated and coordinated, it is critical to prepare for BEC and other fraudulent activities spanning multiple institutions. With Verafin’s cross-institutional 314(b)-related analytics and Information Sharing technology, you can engage in collaborative investigations with other institutions to detect and prevent fraudulent activity that would otherwise go undetected by a siloed system.
Keeping Pace with Change
BEC is a worldwide threat to financial institutions and customers, with significant potential for loss. As fraudsters refine their strategies and pursue increasing profits, responding with speed and confidence is crucial. With analytical agents leveraging the latest advancements in artificial intelligence and machine learning, and a customer-driven development process responding to the needs of your institution, Verafin can help you stay a step ahead of evolving BEC schemes.
To learn more about Verafin’s efficient and effective solutions to fight payments fraud, including BEC, request a custom demo tailored for your institution.