by Michael Borgia, Dsu-Wei Yuen, Andrew Lorentz, and Michael Buckalew
From left to right: Michael Borgia, Dsu-Wei Yuen, and Andy Lorentz (Photos courtesy of Davis Wright Tremaine LLP)
While ransomware attacks usually grab the headlines, business email compromise (BEC) attacks continue to cause massive financial losses for businesses. The FBI’s Internet Crime Complaint Center (IC3), reported BEC losses in the United States of nearly $2.4 billion in 2021.[1] And the problem grew worse during the COVID-19 pandemic: losses from BECs increased 65 percent globally from July 2019 to December 2021.[2]
BECs typically involve a variety of social engineering techniques (for example, domain spoofing) to obtain credentials for a corporate email account. Once inside the email account, attackers typically search for discussions of upcoming vendor payments or other financial transactions and trick victims into transferring funds to an attacker-controlled bank account, instead of the account of the legitimate recipient. A very common type of BEC involves an attacker posing as a company’s vendor and emailing “updated” bank account details for electronic payment of the vendor’s invoices. While these misdirected funds sometimes can be recovered through quick reporting to the involved financial institutions and law enforcement, recovery efforts often are difficult. Attackers promptly disperse the funds by transferring them to multiple foreign bank accounts or converting them to cryptocurrency and transferring them to multiple wallets.