Lila Kee is the General Manager for GlobalSign’s North and South American operations, as well as the company’s Chief Product Officer.
More than ever, organizations are paying greater attention to business email compromise (BEC) attacks, which the FBI says has become a $51 billion threat. Unlike ransomware, one of the unique features of a BEC scam is that it does not rely on cryptocurrency, so it’s easier for an attacker to implement. Interestingly, recent data from Coveware indicates fewer ransomware victims are willing to pay attackers.
Knowing that hackers will be seeking a better source of income (because of course), it is very possible these two converging trends may create a “perfect storm,” resulting in a big spike in BEC attacks, especially for one particular market.
In a June 2023 update, the FBI shared some interesting insights. Among the most intriguing include the U.S. Internet Crime Complaint Center (IC3) noting an increase in identified global exposed losses of 17% between 2021 and 2022, and the IC3 tracking growth in BEC reporting with an increasing focus on real estate where funds are transferred to a cryptocurrency exchange.
Also notable are that banks in Hong Kong, China, the United Kingdom, Mexico and Singapore were the most frequent destinations of international funds, and the estimated domestic and international exposed dollar loss was just shy of $51 billion.
What’s Behind The Growth
It turns out that 2018 was actually a strong year for BEC attacks in the real estate sector. Then it slowed down until 2021 when it began making a comeback.
Known real estate BEC scams cover a broad array of targets: buyers and sellers, attorneys, title companies and agents. The way these attacks work is cyber criminals infiltrate the email account of someone involved in a real estate transaction. From that point, a hacker can monitor the activity and is able to request a change in payment type, generally from a check to a wire transfer. Or a request could be made to switch from one bank account to another, one that—surprise, surprise—is controlled by the hacker.
The FBI says based on IC3 victim complaint data that these attacks are still happening. Between 2020 and 2022, there was a 27% increase in real estate-related reports. At the same time, there was more than a 70% increase in victim loss related to real estate. The IC3 suggests that this figure specifically may be tied to the “rise in real estate costs over the last several years.”
The Growing Concern Behind BEC Attacks
There are many instances of these attacks happening today. In February, for example, Europol dismantled a cyber gang connected to a $40 million BEC scam that targeted a Parisian real estate developer. Impersonating lawyers, the gang members requested a large sum of money to be transferred, ultimately persuading millions of Euros to be transferred abroad.
Ultimately, the company was defrauded of nearly 38 million euros (over $40 million) in just days as a result of the fraudsters pretending to work for a well-known French accounting company. Fortunately, with the help of officials from numerous countries, the gang was brought to justice.
Just a month later, a fraudster attempted to siphon more than $36 million from an unnamed commercial real estate company. The incident involved a threat actor who emailed an escrow officer, their client and a commercial real estate company. The email included a false company letterhead and was convincing enough to make recipients believe it was coming from the senior vice president and general counsel of a trusted partner.
Fortunately, the attack was halted due to three factors: a flaw in a domain name, behavioral artificial intelligence (AI) and an advanced modeling system. While AI may have its detractors, it discovered the signs of fraud, such as confusing wiring instructions or a minor tweak in the sender domain from “.com” to “.cam”—something not everyone may notice. This is why it is so important to closely inspect your emails.
Avoiding A BEC Attack
Implementing secure email solutions, regular staff cybersecurity training and vigilance around monitoring of unexpected or suspicious behavior and requests can help prevent this increasing problem.
If you don’t already do so, one of the first things your organization should do is utilize multifactor authentication (MFA) with biometrics and strong password management. You should also be certain about the email address of a sender and that it is legitimate. Forwarding an email can reveal the true email address.
When it comes to financial transactions, be sure to enforce a standard protocol for confirming wire transfers or sensitive data requests using a face-to-face method or phone calls to known numbers, not phone numbers listed within the email. Taking these critical steps could make the difference between being the victim or the victor of these attacks.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here