It was just before Christmas last year when Robin received an email from the CEO at her consulting company in North Carolina. The email said he was out of town — which he was — and that she should buy gift cards for corporate holiday presents. The email also instructed her to email the information off the back of each card.
Robin did what any good employee would do — she bought the gift cards (using her corporate credit card) and emailed the card numbers and PINs, as instructed.
Later that day, Robin discovered the request to buy those gift cards was not from her boss; it was from hackers who had “spoofed” his email. Robin had emailed the card information to the scammers, who quickly drained the $10,000 that she had loaded on them.
“I was so upset that I just burst into tears and called my mom, even though I’m almost 35 years old,” Robin told NBC News BETTER.
To make matters worse, her company said she was responsible to eat the loss. It took her months to convince the credit card company to help. Robin, who asked that we not use her full name, had fallen victim to a Business Email Compromise (BEC) scam.
A new investigative report from the Better Business Bureau calls BEC a “serious and growing” problem that has tripled over the last three years , resulting in more losses than any other type of fraud in the U.S.
Total reported losses to BEC scams in the U.S. during the last three years topped $3.5 billion, according to a September alert from the FBI’s Internet Crime Complaint Center (IC3). However, the scammers attempted to steal another $26 billion domestically and internationally, based on complaints.
So, why don’t we hear more about this?
“Businesses don’t want to talk about it; they’re embarrassed and don’t want to look vulnerable,” said Steve Baker, the Better Business Bureau’s international investigations specialist, who wrote the BBB report. “But ask just about any organization and they’ll probably tell you they’ve received an email attempting some version of this fraud.”
Why do BEC scams fool so many people?
Fraud experts say it’s because employees are bombarded with email at work, and we assume email is sent by the person in the “from” line. Also, successful BEC scammers do their homework to get the details right.
“The criminals in these cases typically do quite a bit of reconnaissance to make sure that they can make their particular pretext seem believable,” said Herb Stapleton, a section chief within the FBI's Cyber Division. “They'll know the names or email addresses of key people within a company, and that allows them to make that information more believable.”
A family of scams
BEC scams describes a family of schemes that have different storylines, but all involve some form of email deception.
“They use a bunch of techniques, but most of them are just high-pressure, high-stress tactics to make this person send the money,” said John Kuhn, senior threat researcher with IBM X-Force Iris.
Here are a two of the most common BEC scenarios targeted at employees:
1. Bogus requests to send money
The crooks send an email designed to look like it’s from the CEO to the CFO or someone authorized to make wire transfers. It instructs them to handle an “urgent matter” by making an immediate payment. To discourage checking back with the CEO, the bogus email states that they are out of the office or tied up in meetings and can’t be reached.
2. Phony vendor change of payment instructions
In this scenario, the phony email appears to come from a known contractor or vendor who claims to have changed bank accounts. It requests future bill payments be sent to the new account, one that’s controlled by the criminals. If successful, the fraudsters could receive payments for months before the scam is discovered.
Thirty percent of all BEC scams last year involved fraudulent vendors or client invoices, according to a recent report by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN).
To guard against these two types of BEC fraud, companies must establish procedures that make it clear: Wire transfers cannot be made, payment accounts cannot be changed, and large purchases cannot be made without double-checking by phone that the request — even from senior management — is legitimate.
“Don't text them, if you received this message by text; don't e-mail them, if you receive this message by email because a hacker might have control of that,” explained Amy Nofziger, director of fraud victim support at AARP. “Call your boss or whoever made the request at the phone number you have for them and verify that this is something that they're really asking you to do.”
A different twist: Intercepting money in real estate transactions
Real estate BEC targets people buying homes. It’s designed to steal the proceeds of a home sale, so the losses can be staggering.
If hackers can get into the computer system of one of the parties involved in the transaction — the realtors, title company, buyer or seller — they can access all the details of the sale. Then, a few days before closing, the fraudsters emailed the buyer, pretending to be the realtor or title company, with instructions to use a new bank account number — the crook’s bank account — for the wire transfer.
Real estate BEC fraud grew from 9 percent of all cases in 2017 to 16 percent last year, FinCEN reports, with an average loss of $179,000. In many cases, the theft derails the transaction and leaves the victims homeless.
“We were mortified, like oh my God, what just happened; $400,000 is a lot of money,” said a victim in Washington state who asked us to call her Sue.
Sue and her husband were helping a family member buy a house. Days before closing, they received an email that appeared to be from the title company that seemed legitimate — it had all the names, timeline and dollar amount correct.
“The email said to send the money to another bank and here's the account number,” Sue recalled. It was different from the original directions from the title company, which in hindsight, should have been set off bells and whistles, but we had no reason to question it.”
Sue was lucky, she was able to get her money back, but she wants others to learn from her experience.
“Be suspicious and question everything,” she told NBC News BETTER. “Don’t simply rely on digital communications [when large amounts of money are involved]. Confirm things by phone and make sure it’s legitimate.”
Responding to this growing threat, many real estate agents, title companies and lenders now warn their customers in writing that they need to verify by phone any change of instructions about closing that they receive via email. Some states now require this disclosure.
Be suspicious and question everything.
Victims need to file a report
It’s never easy to admit that you’ve been scammed, but the FBI urges anyone who’s been targeted by a BEC scammer to file a complaint with the Internet Crime Complaint Center (IC3). This information can be used to go after the bad guys and possibly recover some of the stolen funds. You can also report the fraud to the BBB Scam Tracker.
In early September, the FBI announced the results of Operation reWired, a joint investigation with 10 foreign countries. The sweep resulted in 281 arrests, the seizure of nearly $3.7 million and the disruption and recovery of approximately $118 million in fraudulent wire transfers.
CORRECTION (Oct. 3, 2019, 3:40 p.m.): An earlier version of this article misstated Herb Stapleton's current title at the FBI. He is now section chief within the agency’s Cyber Division; previously, he was the assistant special agent in charge of the Cincinnati Field Office.