Fan of 100 dollar bills

Business email compromise (BEC) scams rake in billions of dollars

By Randy Hutchinson

President of the BBB of the Mid-South

Reprinted from The Commercial Appeal

Back to articles

Nine members of a multi-state money laundering operation were indicted by the U.S. Department of Justice in Nashville in November; four were residents of Murfreesboro. They were charged with stealing more than $20 million in business email compromise (BEC) schemes and other Internet frauds beginning in 2016.

Around the same time, the Tennessee Bureau of Investigation charged an Alabama man with stealing more than $26 million in a BEC scheme. He and accomplices convinced employees of an unnamed Nashville organization to divert payments to a fraudulent account controlled by the crooks.

The FBI says “BEC is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests. The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.”

In some cases, the crooks convince human resources employees to provide them with company employees’ personally identifiable information and W-2s.

An alert issued by the FBI in September called BEC “The $55 Billion Scam” after that amount in global exposed losses was reported from October 2013 to December 2023. “Exposed losses” include actual and attempted thefts. There were 158,436 reports in the U.S. and 305,033 globally. Reported losses increased 9 percent from December 2022 to December 2023.

Other recent BEC cases include:

  • Crooks stealing $208,000 in two transactions from the city of Plymouth, Connecticut, after compromising the email accounts of a vendor and sending fraudulent invoices to the city. The town’s Finance Director resigned because his department failed to authenticate the payments.
  • $13 million stolen from Minnesota health care companies after employees were tricked into funneling funds to an account controlled by the crooks rather than legitimate recipients.
  • The New Haven, Connecticut, school system losing $6 million when cybercriminals gained access to the COO’s email account, monitored conversations with vendors, and impersonated the COO to trick vendors into wiring money to fraudulent accounts. They were able to recover $3.6 million.

The FBI says real estate transactions are a prime target for BEC scams because of the amounts of money involved. A Silicon Valley tech executive was tricked into wiring her $398,360 down payment on a new house to a fraudulent account after crooks compromised her mortgage broker’s email account. She caught onto and reported the scam quickly and eventually got her money back, but the house she wanted was sold to someone else.

The FBI and BBB offer these tips to companies to protect themselves and their customers from BEC scams:

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Verify the email address used to send emails by ensuring the sender’s address appears to match who it’s coming from. Ensure a URL is legitimate.
  • Be alert to hyperlinks that contain misspellings of the actual domain name.
  • Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.

If you discover a fraudulent transfer, time is of the essence. Contact your financial institution and request a recall of the funds along with any necessary indemnification documents. File a complaint with the FBI at www.ic3.gov as soon as possible. The FBI will assist the financial institution and law enforcement in possible recovery efforts.