Two major cyberattacks have siphoned over $50 million and nearly $80 million from the Belgian bank Crelan and the Austrian aircraft parts manufacturer FACC, respectively.
Official statements released by both firms this month were light on detail but indicated that they had fallen victim to a scam known as Business Email Compromise (BEC).
The common denominator is that criminals trick a company’s financial department into sending money to another bank account – and the key step in the scam is the compromising of an email account.
The BEC scam comes in several flavors. For example, the crooks might use information they have stolen from emails coming into an email account they are monitoring, in order to redirect a legitimate payment to their own bank account.
Or they fake an email message so that it appears to come from a top executive who has the power to issue payment orders, in order to trick staff at the company’s financial department into transferring funds.
“It’s a prime example of organized crime groups engaging in large-scale, computer-enabled fraud, and the losses are staggering.”
Regardless of its flavor, the BEC scam is a serious and global threat, according to the US police and the FBI.
“It’s a prime example of organized crime groups engaging in large-scale, computer-enabled fraud, and the losses are staggering,” reads an FBI alert dated August 27th, 2015. “Companies should make themselves aware of it and take measures to avoid becoming victims.”
Statistics from the Internet Crime Complaint Center (IC3), a division of the FBI, show that since late 2013, when IC3 began tracking BEC scams, more than 7,000 US companies have been targeted —with total losses exceeding $740 million. That doesn’t include victims outside the US, or unreported losses. Globally, losses exceed $1.2 billion.
While the FBI’s data show that over two-thirds of losses affected US companies, the recent attacks remind us that the BEC scam is a global threat to companies’ finances.
by Peter Stancik, ESET