If your boss sends you an email asking for a wire transfer, you should think twice. Hackers are using compromised corporate email accounts to steal more money than ever, according to new findings from a federal anti-money laundering watchdog.
Business email compromise scams, in which scammers impersonate corporate executives to request money transfers, cost organizations an average of $301 million every month last year, according to a report released Tuesday by the Financial Crime Enforcement Network (FinCEN), a U.S. Department of Treasury unit. The federal anti-money laundering watchdog said it received roughly 14,000 suspicious activity reports related to BEC scams last year, compared to about 6,000 in 2016.
The findings add more evidence to the notion that, despite more corporate training, stronger anti-phishing and anti-spoofing measures, and more security attention, thieves from around the world are continuing to siphon dollars from U.S. businesses of all sizes.
“BEC continues to be an attractive crime from criminal groups because of the high profit and low cost and risk for the perpetrators,” the report said.
The manufacturing and construction industry were the most targeted, researchers found, because of frequent interactions with worldwide partners and accessible client information. Those sectors represented 25 percent of all analyzed transactions in 2018, and 20 percent of transactions in 2017, according to the report.
Impersonating a CEO or other corporate executive accounted for 12 percent of all incidents last year, down from 33 percent the year before. Meanwhile scammers’ reliance on using fraudulent vendor or client invoices grew to 39 percent of sampled incidents from 30 percent in 2017.
U.S. companies lost $1.3 billion in 2018 due to business email compromise scams, according to an annual FBI report released in April. In one case last year, thieves defrauded two defense contractors and a university out of more than $150,000 through email scams, according to an FBI alert obtained by CyberScoop. By starting fraudulent lines of credit, they were able to buy expensive technical equipment in the names of the victim organizations and convince suppliers to process payments with fake purchase orders and credit documents.