Remember the so-called “Nigerian” email scams from a few years ago? You know, someone would email you asking for help releasing funds in exchange for a cut of the funds? Fortunately, those are yesterday’s news for the most part.
Unfortunately, business email compromise (BEC) scams—infinitely more sophisticated and effective—have replaced them. This type of corporate cybercrime has cost some 7,000 U.S. businesses nearly $750 million (as of August 2015).
A Very, Very Old Con
The scams so prevalent in the last couple decades—dubbed the “Nigerian” letter scams (or 419 scams, for the Nigerian criminal code the scam violates)—were fairly easy to identify. They were, in a word, amateurish…
U.S. soldiers don’t typically find stashes of $100 bills (U.S.) in Afghanistan and then email strangers to help them launder the money to get it back stateside. African “princes” don’t usually email strangers for a similar need.
“If you just provide me with your bank account number, I will transfer the money I got from [insert “a hole in the desert” or “the lottery” or “my inheritance” or whatever] into your account and give you 20 percent…”
Still, this con duped thousands of people out of billions of dollars over the years. Why? Because it’s a well-conceived scam with a long history of success.
Estimates put the origins of what is known as the Spanish Prisoner scam to somewhere around the end of the French Revolution. Con artists would send letters asking for money to bail out aristocrats in exile—for a reward, of course.
The scheme worked: “Of a hundred such letters” sent by French confidence tricksters, “twenty were always answered,” wrote Eugène Vidocq, the French criminal-turned-detective.
The con got its name a century later, when it was popularized in the United States during the Spanish-American War…
[Because it was a] detailed, daily presence in the pages of Pulitzer’s and Hearst’s newspapers, the war provided an ideal context for the story of a military man imprisoned in Spain with money concealed in the United States (say, a shipment of Cuban gold) that he could recover—with your help. Bolstered by current events folded into the story…the scam proliferated, and Spanish Prisoner syndicates on the East Coast did a brisk business.
A New Level of Sophistication
BEC scams are more sophisticated than the original Spanish Prisoner cons and much more sophisticated than the 419 letters.
They begin with social engineering (phishing) and/or computer intrusion. The scammers create dummy emails that mimic emails from respectable companies, either asking for information or including malware in a link or attachment to get at information
Scammers use the sensitive information they get through these techniques—such as bank information and email addresses—to perpetrate much more believable cons than the 419 ones. And more successful ones, too.
According to the FBI, the Nigerian letter scams cost individuals an average of $6,000; the BEC scams are taking individual companies for an average of $130,000.
From the FBI:
Not long ago, e-mail scams were fairly easy to spot. The Nigerian lottery and other fraud attempts that arrived in personal and business email inboxes were transparent in their amateurism. Now, the scammers’ methods are extremely sophisticated.
“They know how to perpetuate the scam without raising suspicions,” [FBI Special Agent Maxwell] Marker said. “They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these e-mails having horrible grammar and being easily identified are largely behind us.”
So far, authorities have identified four versions of this scam. In all of these versions, scammers use the information they gather in their phishing expeditions very skillfully.
1—They’ll use the email account of an executive that they’ve hacked through malware and request that the company wire funds to a bank account for legitimate business purposes.
2—They’ll send a fake invoice from a third-party contractor with which the company already does business.
3—They’ll appropriate the email address of someone who sends out invoices for a company and use it to send fake invoices to other companies with which the hacked company does business.
4—They’ll pose as attorneys for a company and contact one of the company’s executives (via email or even phone) requesting funds—for an important, confidential or time-sensitive task.
How to Avoid BEC Scams
If you discover that your company is the victim of a BEC scam, you should contact your bank immediately and ask them to also contact the bank that received the money. You should also report the scam to the FBI’s Internet Crime Complaint Center (IC3).
The FBI also suggests taking the following actions:
- Create intrusion detection system rules that flag emails with extensions that are similar to company email. For example, legitimate email of abc_company.com would flag fraudulent email of abc-company.com.
- Register all company domains that are slightly different than the actual company domain.
- Verify changes in vendor payment location by adding additional two-factor authentication such as a secondary sign-off by company personnel.
- Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the email request.
- Know the habits of your customers, including the details of, reasons behind and amount of payments.
- Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary.
No Simple 419 Scam
Business email compromise scams are a far cry from the Nigerian letters of recent years. They’re far better executed, nuanced and believable.
They’re also widespread. Reports of BEC scams have come from all 50 states and 79 countries worldwide. And, unfortunately, they’re on the rise. According to the IC3, the number of BEC victims has risen by 270 percent since the beginning of 2015.