The FBI tracks what it calls Business Email Compromise (BEC). It typically starts with a phishing email and targets high-level business leaders. Using social engineering or stolen credentials, cyber-criminals use legitimate email accounts to trick people into making wire transfers.
They also target company records, wage and tax statements, and medical records. They use the information to con other individuals, file false tax returns, and sell Personally Identifiable Information (PII) used to commit health insurance fraud.
More than 26,000 victims of phishing scams were reported in 2018, including victims of what’s known as payroll diversion. Cybercriminals used phishing emails to trick employees into giving them their login credentials. The crooks used these stolen credentials to access employee’s payroll accounts and change direct deposit information. Paychecks were diverted to accounts by the criminals. Often, payroll was sent to an untraceable prepaid credit card.
The 12 Billion Dollar Scam
Call it the 12 Billion Dollar Scam. That’s how much money the FBI estimates has been stolen in the past five years due to phishing and BEC. In 2018 alone, more than $1.2 billion in losses was reported.
The FBI’s Internet Crime Complain Center reports a startling rise in these type of phishing attacks. Phishing scams have increased more than 136 percent over the past two years. Phishing attacks have been reported in all 50 states. They’ve traced stolen funds to China, Hong Kong, Mexico, Turkey, and the United Kingdom.
Even some of the world’s biggest tech companies have fallen victim. Evaldas Rimasauskas recent pleaded guilty to wire fraud after initiating a phishing scheme targeting execs at Facebook and Google. He’s facing 30 years in jail after bilking the two tech giants out of more than $100 million.
For companies that get hit, the money that is stolen is just part of the loss. They have to spend more money to repair the damage, contact individuals that have had records compromised, and sometimes pay fines or face class-action suits.
Even if organizations didn’t fall victim to wire fraud by paying money to fraudulent accounts, phishing scams have led to significant data breaches. Equifax, one of the world’s largest credit reporting agencies, suffered a data breach affecting 148 million Americans. The costs to recover could exceed $700 million, including $300 million to fund credit monitoring for those affected.
These cyber crooks are crafty. When the class-action suits were launched against Equifax, criminals spoofed the legal websites and sent phishing emails soliciting people to join the class action suit. Many people became victims a second time when they entered personal information into fake settlement websites.
The High Cost of A Phishing Attack
Phishing attacks are costly for any sized business. In 2018, the average cost to recover from a breach was $3.9 million. It can force companies to spend money for years to repair the damage to their systems, their customers, and their reputation.
When small to medium-sized businesses are the targets, the dollars may be less, but the damage is often greater.
6 out of 10 small and mid-sized businesses that fall victim close their doors within six months of the attack being discovered.
Most Common Phishing Scams
There’s no shortage of tricks the scammers will use.
In a whaling attack, criminal impersonate C-level executives and encourage employees to provide them with confidential information or transfer money. CEO fraud often takes the form of a targeted phishing attack on C-level executives to steal their identities. Crooks then use the bosses actual email account to scam others.