Business email compromise

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Business email compromise attacks are a form of cyber crime which use email fraud to attack commercial, government and non-profit organizations to achieve a specific outcome which negatively impacts the target organization. Examples include invoice scams and spear phishing spoof attacks which are designed to gather data for other criminal activities. Consumer privacy breaches often occur as a result of business email compromise attack.

Typically an attack targets specific employee roles within an organization by sending a spoof email (or series of spoof emails) which fraudulently represent a senior colleague (CEO or similar) or a trusted customer. [1] The email will issue instructions, such as approving payments or releasing client data. The emails often use social engineering to trick the victim into making money transfers to the bank account of the fraudster.[2]

The worldwide financial impact is large, with the United States's Federal Bureau of Investigation in 2017 reporting losses, "...now totaling over $3 billion.”[3]

From 2016 to 2018, business email compromise attacks made over $5 billion. By 2020 there are expected to be 20 billion connected Internet of things devices, making it easier for adversaries to successfully carry out ransomware attacks, including business email compromise.[4]

Incidents[edit]

  • Dublin Zoo lost €130,000 in a such a scam in 2017 - a total of €500,000 was taken, though most was recovered.[5]
  • The Austrian aerospace firm FACC AG [de] was defrauded of 42 million euros ($47 million) through an attack in February 2016 - and subsequently fired both the CFO and CEO.[6]
  • Te Wananga o Aotearoa in New Zealand was defrauded of $120,000 (NZD).[7]
  • The New Zealand Fire Service was scammed out of $52,000 in 2015.[8]
  • Ubiquiti Networks lost $46.7 million through such a scam in 2015.[9]
  • Save the Children USA was the victim of a $1 million cyberscam in 2017.[10]
  • Australian organisations that reported business email compromise attacks on the Australian Competition and Consumer Commission suffered approximately $2,800,000 (AUD) in financial losses for the 2018 year.[11]
  • In 2013, Evaldas Rimasauskas and his employees sent thousands of fraud emails to get access to companies email systems.[12]

See also[edit]

References[edit]

  1. ^ Joan Goodchild (20 June 2018). "How to Recognize a Business Email Compromise Attack". Security Intelligence. Retrieved 11 March 2019.
  2. ^ "Tips to Avoid Phishing Attacks and Social Engineering". www.bankinfosecurity.com. Retrieved 2020-11-17.
  3. ^ "Business E-Mail Compromise". FBI. Retrieved 20 December 2018.
  4. ^ Uzialko, Adam (June 14, 2018). "19 Small Business Trends and Predictions for 2018" (PDF). Business News Daily. Retrieved February 24, 2019.
  5. ^ https://www.irishexaminer.com/ireland/dublin-zoo-lost-500k-after-falling-victim-to-cyber-scam-464818.html
  6. ^ "Austria's FACC, hit by cyber fraud, fires CEO". Reuters. 26 May 2016. Retrieved 20 December 2018.
  7. ^ "Te Wananga o Aotearoa caught up in $120k financial scam". NZ Herald. Retrieved 20 December 2018.
  8. ^ "Fire Service scammed out of $52,000". RNZ News. 23 December 2015. Retrieved 20 December 2018.
  9. ^ Hackett, Robert (August 10, 2015). "Fraudsters duped this company into handing over $40 million". Fortune magazine. Retrieved 20 December 2018.
  10. ^ Wallack, Todd (13 December 2018). "Hackers fooled Save the Children into sending $1 million to a phony account". The Boston Globe. Retrieved 20 December 2018.
  11. ^ Powell, Dominic (27 November 2018). "Business loses $300,000 to 'spoofed' email scam: How to protect yourself from being impersonated". Smart Company. Retrieved 14 December 2018.
  12. ^ "Sentence in BEC Scheme". Federal Bureau of Investigation. Retrieved 2020-02-01.