NJCCIC: Uptick in BEC Scams

Uptick in BEC Scams
According to the FBI IC3 Internet Crime Report 2023, business email compromise (BEC) scams are the second most expensive type of cybercrime. Over the past three years, the number of US victims increased from 19,954 (2021) to 21,832 (2022) but decreased slightly to 21,489 (2023). However, the reported losses from BEC scams showed an upward trend of $2.3 billion (2021) to $2.7 billion (2022) to $2.9 million (2023). Additionally, New Jersey claimed 628 victims in BEC scams in 2023 and ranked second in the nation with an average loss per victim of $223,041.73. There was a significant increase in the total reported losses from 2022 (almost $63 million) to 2023 (over $140 million), and the trend is likely to increase.
Unlike generic phishing scams, BEC scams are a highly targeted form of social engineering, often incorporating preliminary reconnaissance on potential victims and using various impersonation techniques, including email spoofing and look-alike domains. To convey a sense of legitimacy, threat actors commonly spoof a familiar contact’s source name or email address, use domain names that mimic a trusted source, or compromise a legitimate account. The messages typically instruct the target to transfer funds or other sensitive information to the threat actors posing as trusted individuals. Common types of BEC attacks include wire transfer scams, direct deposit scams, real estate wire transfer scams, W-2 scams, and invoice scams. BEC scams can result in system compromises, data breaches, financial losses, and reputational damages.
The NJCCIC observed an uptick in various BEC scams, especially invoice, direct deposit, and real estate wire transfer scams. In invoice scams, threat actors impersonate trusted vendors with whom the target organization does business. They send emails to redirect outstanding and future invoices for products or services to a new bank account. Threat actors may attach legitimate or fraudulent invoices with inflated amounts and provide new payment policies with payment instructions and updated bank account details to steal funds from the vendor’s customers.
In direct deposit or payroll diversion scams, threat actors impersonate an employee, typically by registering a free email address using the employee’s name and utilizing display name spoofing in the messages. They usually send fraudulent emails to payroll or human resources departments, and direct deposit change forms are requested. Sometimes, the threat actors locate an organization’s direct deposit change form online and include a filled-out form in the email. They intend to divert an employee’s direct deposit account information to an account under the threat actor’s control. These emails may have noticeable red flags; however, they may be well-crafted and more challenging to identify as suspicious.
In real estate wire transfer scams, threat actors impersonate and target real estate attorneys or title agents to defraud homebuyers. These requests typically instruct the buyer to perform a wire transfer and transfer the closing costs to an account controlled by the threat actors. The attorney’s signature in the spoofed email may contain information obtained from the law firm’s website or social media platform. The subject and body of these emails often portray a sense of urgency to entice targets to provide sensitive information or immediately wire money before they can thoroughly review the email’s content and question its legitimacy. If successful, funds are transferred to the threat actors before the fraud scheme is detected.