BEC: What's in Your Inbox?

by Teri Wesley
We're all familiar with the ubiquitous Capital One "What's In Your Wallet?" ad campaign featuring prominent celebrities and humorous scenarios to highlight their card products. In what was one of the largest bank data breaches ever, in 2019 a hacker gained access to more than 100 million Capital One customers' accounts and credit card applications. While that incident was found to be caused by a combination of misconfigured cloud infrastructure and a former employee exploiting her knowledge of cloud vulnerabilities, that breach and other high-profile hacking incidents highlight how the growing reliance on technology is exposing sensitive and PII (personal identifiable information).
Email accounts have become prime targets for cybercriminals. There has been an exponential rise in Business Email Compromise (BEC) and other phishing scams in 2024. This surge is largely attributed to cybercriminals leveraging advanced technologies, particularly artificial intelligence (AI), to enhance the sophistication and success rate of their attacks. Reports indicate a substantial rise in BEC attacks, with some studies noting a 20% increase compared to previous years. Notably, BEC scams now constitute over half of all phishing attempts.
In 2023, the FBI's Internet Crime Complaint Center (IC3) received over 21,000 BEC complaints, resulting in losses totaling $2.9 billion, with an average loss of $174,000 per incident. These BEC schemes historically involved compromised vendor emails, requests for W-2 information, targeting of the real estate sector, and fraudulent requests for large amounts of gift cards. More recently, the IC3 data suggests fraudsters are increasingly using custodial accounts held at financial institutions for cryptocurrency exchanges or third-party payment processors, or having targeted individuals send funds directly to these platforms where funds are quickly dispersed. The FBI notes that with the growing use of tactics involving funds being directed to cryptocurrency platforms, third-party payment processors, or custodial accounts at financial institutions, implementing two-factor or multi-factor authentication is more critical than ever as an added layer of security.
These attacks often impersonate trusted contacts or organizations, tricking recipients into divulging sensitive information or transferring funds. It's no longer just a question of "What's in your wallet?" but "What's in your inbox?" Organizations and individuals must scrutinize emails, verify senders, and implement robust cybersecurity measures to protect themselves from these evolving digital threats.
The use of AI enables attackers to craft personalized and grammatically correct messages that can bypass traditional security filters. According to recent reports, around 40% of Business Email Compromise (BEC) lures are now created using artificial intelligence (AI), significantly increasing their persuasiveness, and making them more difficult to identify as fraudulent. AI-driven deepfake technology is being deployed to create convincing audio and video impersonations of trusted individuals, further enhancing the effectiveness of phishing scams.
Other emerging phishing techniques include:
Quishing: A new trend that involves the use of QR codes in phishing attacks, known as "quishing." Scammers embed malicious links within QR codes, exploiting the trust users place in these codes to steal sensitive information.
Smishing: There has been a notable increase in SMS-based phishing, or "smishing," where attackers send fraudulent text messages to deceive individuals into divulging personal information. Smishing scams are particularly prevalent during the holiday season when consumers are expecting package deliveries.
Financial institutions play an important role in identifying and reporting fraud schemes. Communication and collaboration among internal AML divisions, compliance, business, fraud prevention, legal and cybersecurity departments as well as with other institutions across the financial sector is critical to combat these and other financial crimes. Additional actionable steps to mitigate losses include:
- Employee Training: Regular training sessions can help employees recognize and avoid phishing attempts.
- Advanced Security Measures: Implementing AI-driven email security solutions can enhance detection and prevention of sophisticated phishing attacks.
- Verification Protocols: Establishing strict verification procedures for financial transactions can mitigate the risk of BEC scams..
Staying informed about the evolving tactics of cybercriminals and adopting robust cybersecurity measures are crucial steps in protecting your customers and institution from the increasing threat of BEC and phishing scams in 2025.
by Teri Wesley