“Still Not Down with BEC”

In April 2016, I highlighted insurance issues related to business enterprise compromises, or BECs.  Yesterday, I had the privilege of presenting on the topic to the Central Jersey Chapter of the Institute of Internal Auditors at its Annual Fraud Conference (thanks  to Frank Pina at Mercadian for the invite).

Since I last wrote about the subject, the FBI has determined that BECs, also known as CEO fraud, social engineering and spoofing, are among the most costly forms of cyber-crime.  Refresher: the FBI defines a BEC as a “sophisticated scam targeting both businesses and individuals performing wire transfer payments…[that] is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer engineering techniques to conduct unauthorized transfers of funds.”   Common examples of BECs are e-mails that appear to come from a CEO or CFO directing an employee to pay a fake vendor and scammers posing as title insurance representatives sending last-minute changes in wiring instructions to real estate purchasers.

Between 2013 and 2018, BECs accounted for over $12.5 billion in reported losses globally.  I say reported because the FBI’s data set is limited to self-reported information received through its Internet Complaint Center, or IC3.  Many victims of this type of fraud likely do not report it to the FBI for a multitude of reasons.  Of these losses, there have been 41,058 incidents in the United States accounting for nearly $3 billion in losses.  This figure represents more than half of fraud-related losses reported to the FBI during this -five-year period.

So, what are you going to do about?  Yes, you.  In preparing for my presentation, I learned of the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG).  This group is composed of FBI and other law enforcement personnel, regulators and government agencies and private companies and citizens.  Started in 2015, it’s now the largest global industry association of its kind.  The group combats internet abuse and fraud through position papers, training and, most interestingly, setting traps that lead to the arrests of BEC scammers.  M3AAWG does this by sending its own socially engineered e-mails to suspected BEC perpetrators to obtain information about what they’ve done, where they’ve done it and, critically, where they are.  This process has led to over 100 arrests.

I typically focus on transferring risk, but groups like M3AAWG are proactively attacking the attackers.  The hunters are becoming the hunted.  And I love it.  Yes, companies should ensure that they have appropriate risk transfer mechanisms in place, and they should constantly monitor and invest in their front-line security infrastructure.  But maybe you should also consider joining the militia.  To find out more about joining M3AAWG, click here (no, this is not a trick).