(Newsroom America) -- The FBI Boston Division is warning of a dramatic rise in business e-mail compromise scams or BECs, which target businesses of all sizes and types and have resulted in massive financial losses in Boston and other cities.
Globally, since October 2013, more than $3.1 billion in actual and attempted losses have been reported.
In the Boston Division, approximately 370 victims from Massachusetts, Maine, New Hampshire and Rhode Island have reported losses totaling approximately $33 million.
Those losses range from $500 to $5.9 million, with the average loss per scam being $90,000. The dDivision has successfully facilitated the return of approximately $13 million, with millions more frozen and in the process of being returned.
“The BEC scam is one of the fastest growing schemes we’ve seen over the past few years. The perpetrators leave a long wake of financial and emotional damage, stealing money from small businesses—leaving them unable to pay bills; and from families in the process of buying a home, all but erasing their dreams of home ownership,” said Harold H. Shaw, special agent in charge of the FBI Boston Division.
The scammers go to great lengths to spoof a company e-mail or use social engineering to assume the identity of the CEO, a trusted vendor, or a person in a position of authority within the company.
They research employees who manage money and use language specific to the company they are targeting and then they request a wire transfer to an account controlled by them.
Common recipients of these e-mails are real estate agents, title companies, and attorneys in the midst of real estate transactions; bookkeepers; accountants; controllers; and chief financial officers.
The perpetrators of this fraud, believed to be members of international organized crime groups, primarily target businesses that work with foreign suppliers or regularly perform wire transfers, and they use domestic bank accounts to funnel money off shore. According to the Internet Crime Complaint Center (IC3), since the beginning of 2015, there has been a 1,300 percent increase in identified exposed losses. The scam has been reported by victims in all 50 states and in 100 countries.
The scammers' methods have become increasingly more sophisticated. They'll spoof accounts with slight variations in domains (firstname.lastname@example.org vs. email@example.com); mske them look similar to authentic accounts (firstname.lastname@example.org vs. email@example.com ); mimic the real account using a spoofing tool that directs responses to a different e-mail account (the reply to e-mail account can be seen in the extended header or by hovering a curser over the shown e-mail address); and hack accounts.
Criminals also use malware to infiltrate company networks, gaining access to legitimate e-mail threads about billing and invoices. They then use that information to make sure the suspicions of an accountant or financial officer aren’t raised when a fraudulent wire transfer is requested.
Some individuals have reported being a victim of various cyber intrusions immediately preceding a BEC incident. These intrusions can be facilitated through a phishing scam in which a victim receives an e-mail from a seemingly legitimate source that contains a malicious link. The victim clicks on the link, and it downloads malware, allowing them unfettered access to the victim’s data, including passwords or financial account information.
The BEC scam is linked to other forms of fraud, including but not limited to romance, lottery, employment, and rental scams. The victims of these scams are usually based in the United States and may be recruited, unknowingly, to transfer money illegally on behalf of others.
If you or your company have been victimized by a BEC scam, it’s important to act quickly. Contact your financial institution immediately and request that they issue a “SWIFT recall.” For domestic transfers, ask your financial institution to send a “hold harmless” letter to the beneficiary bank.
Next, file a complaint regardless of whether there is a dollar loss with IC3. Experience has shown that funds only remain in the initial beneficiary account for a few days before they are withdrawn or transferred to another account.
This is not always the case and the FBI may be able to pursue a criminal prosecution.