The Federal Bureau of Investigation (FBI) has issued a warning over cloud-based business email compromise (BEC) scams that have cost US companies more than $2bn.
A BEC is a sophisticated scam targeting businesses that perform electronic payments, such as wire transfers or automated clearing house transfers. Typically, the scam involves a threat actor breaching a legitimate business email account through social engineering or computer intrusion techniques.
After gaining access to a real email account, the threat actor can fraudulently acquire funds by emailing out phony invoices containing altered bank account details to a company’s vendors and suppliers.
In a statement released on April 6, the FBI said: “Cyber criminals are targeting organizations that use popular cloud-based email services to conduct Business Email Compromise (BEC) scams. The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds.”
The FBI revealed that between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling more than $2.1bn in actual losses from BEC scams using two popular cloud-based email services.
BEC scams have been reported in all 50 states and in 177 countries. Losses from BEC scams overall have increased every year since IC3 began tracking this particular type of crime in 2013.
The FBI said the way in which cloud-based email services are configured when they are acquired by users could be making life easier for cyber-criminals looking to compromise a company’s email account.
“While most cloud-based email services have security features that can help prevent BEC, many of these features must be manually configured and enabled. Users can better protect themselves from BEC by taking advantage of the full spectrum of protections that are available,” said the FBI.
The cost of building and maintaining robust cybersecurity means that small and medium-sized organizations, or those with limited IT resources, are most vulnerable to BEC scams. And one compromised business can have dire consequences for a whole industry.
The FBI said: “Cyber-criminals frequently access the address books of compromised accounts as a means to identify new targets to send phishing emails. As a result, a successful email account compromise at one business can pivot to multiple victims within an industry.”