Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses who regularly perform wire transfer payments. The Email Account Compromise (EAC) component of BEC targets individuals who perform wire transfer payments. The techniques used in both the BEC and EAC scams have become increasingly similar.
IC3 is said to begin tracking these scams as a single crime type in 2017. The scam is carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices.
Fraudulent transfers have gone through accounts in many countries, with a large majority traveling through Asia. The scam began to evolve in 2013 when victims indicated the email accounts of Chief Executive Officers or Chief Financial Officers of targeted businesses were hacked or spoofed, and wire payments were requested to be sent to fraudulent locations.
BEC/EAC has continued to evolve, and in 2014 victim businesses reported having personal emails compromised and multiple fraudulent requests for payment sent to vendors identified from their contact list.
In 2015, victims reported being contacted by subjects posing as lawyers or law firms instructing them to make secret or time sensitive wire transfers. BECs may not always be associated with a request for transfer of funds. In 2016, the scam evolved to include the compromise of legitimate business email accounts and requests for Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.
The BEC/EAC scam is linked to other forms of fraud, including but not limited to: romance, lottery, employment, and rental scams. The victims of these scams are usually U.S. based and may be recruited to illegally transfer money on behalf of others. In 2016, the IC3 received 12,005 BEC/EAC complaints with losses of over $360 million.