Business email compromise (BEC) is one of the most common email scams that target businesses, employees, and customers. And according to the FBI, it has continued in the past few years.
In fact, the total reported loss due to BEC is now at $50 billion, according to new FBI data.
What is BEC?
Business email compromise (BEC) is a scam when a bad actor uses email to either illegally get money or personal, confidential information.
In this type of scam, the bad actor will act like a trusted figure. For example, they may pretend to be the CEO’s company and ask for money or personal information.
Any organization, government agency, or business is vulnerable to BEC attacks, especially if they’re not taking the proper precautions.
The scammers will rely primarily on social engineering and unprotected email domains to pull off this scam. Social engineering makes it harder for people to catch these bad emails, and the latest statistics show they’re still successful.
FBI’s latest numbers
The FBI recently announced that $50 billion has been lost in both domestic and international business email compromise. This is a $7 billion increase from 2022. From December 2021 to 2022 alone, there was a 17% increase in reported global losses to BEC.
The FBI reported that over the last nine years, there have been nearly 300,000 BEC incidents in 177 countries and all 50 states.
While $50 billion is an eye-opening statistic, this is only the reported business losses. There are likely many more BEC attacks that have been unreported, causing this number to likely be even higher.
As methods to prevent BEC attacks evolve, the attacks will evolve as well. It’s becoming increasingly difficult for companies to protect themselves, their employees, and their customers.
What should companies do?
The FBI recommends protecting against BEC by verifying the sender’s email address matches whom the email is coming from, especially if using a phone or tablet. While training employees can mitigate some risks, it’s not a trustworthy solution for businesses going forward.
Companies should also enable two-factor authentication to verify any requests that involve account, financial, or confidential information.
For businesses who want a more proactive approach to prevent bad actors from spoofing their domain, we recommend using Domain-based Message Authentication, Reporting & Conformance (DMARC).
DMARC is an email authentication and reporting protocol. When a domain is at DMARC enforcement, it ensures that the domain in the From: field is verified by the receiving domain. If it’s not authorized, then action will be taken based on the policy you’ve set.
In fact, if more companies implemented DMARC, it would be much easier to trust your entire email inbox.
“It’s about authenticating yourself but also the supply chain in ensuring that whoever you partner with and do business with, they are also doing their due diligence in doing the right thing by locking their domains down so that it is a safer working place for all.”
Karl Mattson, CISO of NoName Security
However, we still have a long way to go. We recently did a report and discovered that in the banking and financial sector, only 43% of companies were at DMARC enforcement.
DMARC is also beneficial because you can receive reports that enable you to see who is sending emails on behalf of your domain. To see who is sending emails under your domain, create a free account on Valimail Monitor today.
If you are a victim of a BEC attack, take action as soon as possible. If your finances were compromised, contact your bank and ask them to recall the funds and any identifying information. Once you have done that, you should also file a complaint with FBI IC3.
Protect against BEC
Over the past nine years, the total reported losses of BEC have continued to grow. If you don’t want your business to be part of that statistic next year, implementing DMARC is one of the best routes. I am running a few minutes late; my previous meeting is running over.
“Outcomes show that implementing DMARC is one of the highest ROI solutions available. Just make sure to insist on enforcement (activation) and that the process is automated – otherwise, DMARC can be daunting.”
Alexander Garcia-Tobar, CEO of Valimail
Learn more about how DMARC can protect you from BEC by scheduling a demo with us.