Jeff Lanza

As I present at conferences around the country, I continue to hear stories from audience members about victimization by a particular form of cybercrime, Business Email Compromise or BEC for short. The FBI’s latest Internet Crime Report stated this:

“In 2023, the FBI received 21,489 (BEC) complaints with adjusted losses over 2.9 billion. BEC is a sophisticated scam targeting both businesses and individuals performing transfers of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

These BEC schemes historically involved compromised vendor emails, requests for W-2 information, targeting of the real estate sector, and fraudulent requests for large amounts of gift cards. More recently, the IC3 data suggests fraudsters are increasingly using custodial accounts held at financial institutions for cryptocurrency exchanges or third-party payment processors, or having targeted individuals send funds directly to these platforms where funds are quickly dispersed.”

I am presenting in Mississippi this week at an insurance conference. I like to use local examples of cybercrime, which generally have a greater impact on the audience, because it happened so close to home.

In one Mississippi case of BEC, $ 2.7 million was lost by a county when the county received emails asking officials to update the bank account information for a construction company. The construction company was owed money by the county. After the update was made, the payment for money owed were disbursed to a bank account controlled by criminals. Unfortunately, this case will add to the BEC number for the FBI report for 2024.

The FBI advises, as I do in my presentations on the topic of cybercrime: “Procedures should be put in place to verify payments and purchase requests outside of email communication and can include direct phone calls but to a known verified number and not relying on information or phone numbers included in the email communication. Other best practices include carefully examining the email address, URL, and spelling used in any correspondence and not clicking on anything in an unsolicited email or text message asking you to update or verify account information.”