Over the past three years, the "business email compromise" has become one of the most common, vexing, and financially injurious forms of cybercrime. On any given day, companies around the world and across industry sectors are finding themselves the victim, the pawn or both in cybercrime schemes that have resulted in billions of dollars in losses. Beyond significant financial loss, being targeted in these schemes carries increasing regulatory and reputational risk, as well as civil liability.
Business email compromises exploit social engineering to commit fraud
Business email compromise (BEC) schemes are at once simple and sophisticated. First, the perpetrator targets specific individuals within organizations, using social engineering techniques to gather information (often social media and company/professional data). Second, the perpetrator uses a spoofed or hacked email account and the information gathered through social engineering and the hacked account contents to fraudulently induce the targeted individuals into transferring money or sensitive data to unintended parties. A company may be the target of the fraudulent scheme, or its employee email accounts may be hacked and then utilized to target third parties (often business partners and customers). The ultimate goal is the theft of money or nearly any type of sensitive data.
Common varieties of BECs include emails sent from spoofed or hacked accounts of company executives or business partners or service providers. Perhaps the most common scheme involves a bad actor posing as a company executive, business partner or service provider and using the spoofed or hacked email account to trick the email recipients into initiating wire transfers to financial accounts that are under the control of the bad actors. Other types of data that are targeted include employee personal and tax information, intellectual property, account credentials, and other forms of sensitive business information.
BECs have exploded in volume, frequency and financial loss across industry sectors
BECs continue to be among the most successful and quickly escalating forms of computer-facilitated financial fraud. The Financial Crimes Enforcement Network (FinCEN) recently issued the latest government advisory report on the topic, noting that BEC attacks have climbed from just under 500 reports per month (averaging $110 million in attempted BEC thefts) in 2016, to over 1,100 monthly reports (averaging over $300 million monthly in total attempted BEC thefts) in 2018. Since 2016, FinCEN has received over 32,000 reports involving almost $9 billion in attempted theft from BEC fraud schemes affecting US financial institutions and their customers. The top three sectors targeted for BECs are manufacturing and construction; commercial services (professional services, retail, hospitality, education); and real estate.
The FinCEN report comes a year after a July 2018 FBI Public Service Announcement detailing how global losses due to BEC scams increased by 136 percent between 2016 and 2018. Since October 2013, the FBI has tracked more than 78,000 BECs, totaling more than $12.5 billion in fraud losses. These figures are likely just a fraction of the actual overall numbers. The FBI's 2018 Internet Crime Report tracked over 20,000 complaints of BECs and $1.2 billion in losses in the United States alone last year.
Regulatory scrutiny and litigation risk grow
The company that suffers a BEC can be both a victim of the crime and a target of regulators and civil litigants. In October 2018, for example, the SEC released a "Report of Investigation" calling for public companies to re-assess their internal accounting controls "in light of emerging risks, including risks arising from cyber-related frauds." The Report followed the SEC's investigation into whether nine public companies violated US securities laws "by failing to have sufficient accounting controls" to prevent approximately $100 million in losses as a result of BECs.
Despite declining to pursue enforcement actions, the SEC emphasized its recent cybersecurity guidance, advising public companies that "[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws." Given the SEC's attention to this issue, it can also be expected that public companies that lack such policies and procedures also could find themselves facing both private securities fraud and derivative lawsuits.
BECs are increasingly preceded by a network intrusion, which allows a bad actor to take control of a given email or company network account to target that company or a third party for financial fraud and data theft. In addition to weaponizing the compromised user account, a bad actor also may compromise sensitive, legally protected information accessible through the account. This could trigger obligations and liability under private contracts or data security and data breach notification laws. Moreover, it is increasingly common to see litigation between the companies involved in a BEC over which one is liable for network intrusions, lost funds transferred to criminals, and compromised sensitive data.
Preventing and responding to BECs
Every organization should develop and execute a multi-pronged strategy for preventing and responding to a business email compromise. When a BEC occurs, a company must act very quickly to recover lost funds, prevent further losses, contain any network compromise, and prepare for potential regulatory inquiry and civil litigation. A victim's quick coordination with federal law enforcement and relevant banks can result in the recovery of funds. During 2018, the FBI's Recovery Asset Team recovered 75 percent of the BEC losses reported to it within 48 hours of the wire transfer ($192 million). Each company involved in a BEC (ie, both the company suffering the financial loss and the company whose compromised account was weaponized to facilitate the fraud) must conduct a thorough, legally privileged internal investigation to understand the full scope of any unauthorized activity, as well as its rights and potential liabilities.
For more information about proactive and reactive steps for preventing and responding to business email compromises, please contact the authors or your primary DLA Piper attorney.