“From the Front Lines: Former FBI Field Agent’s Perspective on BECs”

In 2018, the FBI’s Internet Crime Complaint Center (IC3) received more than 900 complaints of internet driven crime every day.  This amounted to over 350,000 complaints involving $2.7 billion in losses.  Business enterprise compromises (BECs) were the most common and the most consequential.

These scams, which involve the use of fraudulent emails instructing recipients to unwittingly wire payments to criminals’ bank accounts, accounted for over 20,000 complaints and a whopping $1.2 billion in losses in 2018.  The Cyber Division of the FBI’s Economic Crimes Unit investigates these complaints with the goal of recovering fraudulently diverted funds.

“Michael” is a retired FBI field agent who worked in this Unit since its inception.  With his permission, the following is a summary of our recent conversation.

ME: Tell me about your background with the Bureau and the Cyber Unit specifically.

MICHAEL:  I was a Special Agent for 24 years.  I spent most of that time in the White Collar, or Economic Crimes, Unit.  About ten years ago, I remember I went out to investigate a reported fraud involving a payment by a pharmaceutical company.  I’d never seen anything like it.  I reported it to headquarters, and they had no insight.  A few months later, I investigated a fraud involving a wire supposedly initiated by a bank’s customer.  At the time, we didn’t know that both incidents were what we came to call BECs.  Actually, BECs is what we call it where the victim is a business.  For individuals, the Bureau refers to this type of fraud as EACs, or Email Account Compromises.

It wasn’t until I attended a conference that I learned that some of my colleagues had been seeing similar incidents.  We identified some common elements, and ultimately compiled the information that led to the FBI in about 2017 to establish the Cyber Unit of the Economic Crimes Division, all under the umbrella of the Criminal Investigation Division.

ME:  How many agents are in the Unit?

MICHAEL:  The Unit has about 10-15 supervisors at headquarters, and then there are at least two field agents in almost every field office across the country.  The Unit initially breaks these frauds out into two classes, those that involve domestic wires and those that involve international wires.  Domestic wires are handled by the RAT, the Recovery Asset Team.  International wires are handled by field agents like me.

ME: What were your responsibilities?

MICHAEL:  A complaint would come in through the IC3.  If it had been three days or less, they would refer it out to me or another field agent.  More than three days and there is almost nothing we could do. After 72 hours, you’re toast.

I would go to the victim’s location, interview the employees briefly and, most importantly, retrieve the metadata from the email user’s account.  Our cyber analysts would work with that data, and, ultimately, I’d contact banks and ask them to freeze funds if they hadn’t already transmitted the wires.  Some banks were helpful, others weren’t.  Especially where the fraud involved individuals rather than businesses, some banks really did not want to get involved.  In some cases, we actually used private investigators or other contacts who would get the funds frozen when the banks weren’t cooperating with the FBI.  My job was to recover funds.

ME:  How’d you do?

MICHAEL:  Over the course of about two years, I probably had 200 complaints involving about $10 million in losses.  I recovered about $2 million of that.

ME:  Did you identify any common threads of similarities across the incidents that you investigated?

MICHAEL:  Definitely.  Towards the end of my career, they were almost exclusively residential real estate transactions.  Earlier, it had been a lot of pharma companies and banks.  But more recently, residential real estate transactions and pension funds have become big targets.  I didn’t do the actual IT investigation piece.  But I know that analysts used the metadata I obtained to track IP addresses.  A lot of the fraudulent emails were coming from IP addresses in Poland or Nigeria.  A lot of them used poor English.

ME:  What did the residential real estate schemes typically look like?

MICHAEL: It was usually someone impersonating the realtor, telling others that the payment information had been changed.  In a lot of cases, the criminals mined information from social media sites, like Facebook.  They found out someone was a realtor, tracked posts related to closings or listings.  Sometimes, they didn’t even hack into anyone’s email.  They just socially engineered spoof emails and sent them from email addresses that differed from the legitimate email addresses in minor ways, like adding an “s” to a word.  Other times, criminals hacked into someone’s email account.  Usually the realtor.  A lot of realtors use gmail or AOL.  Those email service providers offer two factor authentication options, but most people don’t use them.  If you don’t do that, you open yourself up to problems.  Once the criminals get in, they are extremely patient.  They monitor conversations and wait until the perfect moment to get in there.

ME: What about the pension fund frauds?

MICHAEL:  That was usually a criminal targeting a third party administrator.  They would send a fraudulent email to the administrator.  The administrator would instruct the fiduciary to make a payment.  And then the administrator would say it was the fiduciary’s fault because they made the payment.  But the administrator is the one that told them to.

ME:  What can we do to improve our chances of recovering fraudulently diverted funds?

MICHAEL:  The most important thing is to act quickly.  You can’t just call the FBI.  You have to file a complaint with the IC3.  That can be done on-line.  That’s what triggers everything.  The sooner the fraud is reported, the better chances you have at a recovery. The FBI still does not recover funds in the majority of cases, but if you report the fraud less than three days after the wire, you have at least a chance.  You can read more about reporting crimes through IC3 on this data sheet that we used to give out.

ME:  What about prevention?

MICHAEL:  For scams that incorporate hacking, two factor authentication makes email more secure.  People also need to be mindful of irregularities in emails concerning payment instructions. The other thing is to talk.  Especially when someone is changing payment instructions.  People should pick up the phone and call to verify information before wiring funds.  And you have to talk to someone you know.  Not an assistant or a colleague.  The last thing I’ll say is that we shouldn’t be so reliant on doing business through email.  Nobody does anything in person anymore.  Consider more in-person meetings for transactions.  If that’s not feasible, though, pick up the phone.

Another common issue is that the routing numbers used often aren’t tied to the banks the criminals say they are.  For example, a fraudster might say to wire funds to Bank A.  But the routing number provided belongs to Bank B.  You can check which routing numbers belong to which banks.  If they don’t match, that’s a red flag.

ME:  Is there anything banks can do to help prevent these frauds from succeeding?

MICHAEL:  Some banks don’t require account names and account numbers to match.  So, a criminal could send you an email saying to wire funds to your realtor, Joe, at account X.  You then request a wire transfer to Joe at account X.  But account X actually belongs to Bob.  If there’s been no attempt to confirm that the account to which a customer has requested funds be transferred is actually owned by the person or company to whom the customer is trying to make a payment, the bank is sending money to an account that it could have easily verified does not belong to the person that the customer thinks it belongs to.  Just matching up accounts and names would be really helpful.


Once you’ve been victimized, your chances of recovery are probably minimal.  Business and individuals should prioritize IT security AND should look for the signs of potential fraud every time an email involves payment information.  But the best way to combat this kind of cybercrime is to avoid using the cyber component of a transaction as the only mechanism for conducting business.  Talk to each other.  You might even enjoy a little human contact.

Contact Information