Business email compromise is where attackers gain access to a business email account and attempt to trick people into wiring money to criminals. The FBI has found that the amount stolen in BEC scams towers over the amount stolen in ransomware attacks, though the latter are more prominent and disruptive.
Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI, presented his findings on June 6 at the RSA Conference in San Francisco. As ransomware becomes riskier or less profitable, sophisticated scammers may start to tap the lucrative BEC space, he told Wired.
Hassold noted that he had seen signs that ransomware actors are, at the very least, learning about BEC. “It’s possible that these two threats on opposite sides of the cybercrime spectrum will converge in the future—and we need to be ready for that,” Hassold said.
According to a recent FBI report, BEC scams cost victims nearly $2.4 billion in 2021.
“The scheme has evolved from simple hacking or spoofing of business and personal email accounts and a request to send wire payments to fraudulent bank accounts,” the report says. “Now, fraudsters are using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers. These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult.”
A $1.4 million theft from the city of Portland, Ore., appears to be a recent example of a BEC scam, as StateScoop notes.
As BankInfoSecurity reports, police in Nigeria recently arrested a 37-year-old man, charged with spearheading major BEC campaigns.