Quick Hits

• According to the FBI, Business Email Compromise (BEC) scams often involve the spoofing of a legitimate, known email address or the use of a nearly identical address to appear as someone known to or trusted by the victim.
• Real Estate Wire Fraud is a subcategory of BEC, in which criminal actors target individuals or companies executing large wires related to real estate transactions.
• From 2020 to 2022, there was a 27 percent increase in victim reports to the FBI of BECs with a real estate nexus.

What Are BEC Scams?

In a BEC scam, cybercriminals send an email message that appears to come from a known source making a legitimate request. Oftentimes, these messages are very convincing and are difficult, if not impossible, to discern from the real thing. A typical BEC scam would involve a seemingly authentic email address that appears very similar and recognizable address. For example, the fake email address may appear to come from a trustworthy source like a bank. These emails typically contain malware that enables criminals to infiltrate company networks to gain access to confidential information, thereby causing a data breach.

In a 2022 congressional report, the Federal Bureau of Investigation (FBI) said that Real Estate Wire Fraud (REWF) is a subcategory of BEC, in which criminal actors target individuals or companies executing large wires related to real estate transactions. In a typical REWF scam, the buyer of property will receive an email from a criminal impersonating the seller with instructions on how to wire the payment. This email will appear authentic, and the wiring instructions will often indicate a familiar bank as the receiving bank for the wire transfer. REWF is unique within BEC scams insofar as the buyer is often using the proceeds from a sale of property to fund a new purchase of property. As such, the loss of funds caused by these scams can potentially be catastrophic for the victims.

Frequency and Severity of BEC Scams

According to the FBI’s Internet Crime Complaint Center (IC3), between October 2013 and October 2022, there were 137,601 victim complaints of BEC scams in the United States. These complaints had a total monetary loss of $17,323,435,141. In addition, the IC3’s Financial Transaction Component indicates that between June 2016 and December 2022, there were an additional 74,121 victim complaints of BEC scams in the United States. These complaints had a total monetary loss of $13,034,596,130. Moreover, the IC3 indicates that BEC scams targeting real estate companies are on the rise. From 2020 to 2022, there was a 27 percent increase in victim reports to the IC3 of BEC scams, with a real estate nexus showing a 72 percent increase in monetary losses. In other words, in only two years, the number of REWF scams went from 1,796 victims in 2020 to 2,284 victims in 2022, and the amount of money lost went from $258,400,000 to $446,100,000. This is a drastic amount of money lost considering the seemingly small number of victims, which highlights that the loss per victim is significant.

How Businesses Can Protect Themselves From BEC Scams

Although these scams can have potentially devastating consequences, they are fortunately relatively simple to avoid. The FBI recommends the following practices to avoid becoming a victim of BEC scams:

• Avoid clicking on any links in unsolicited emails or text messages that ask for personal details, such as bank account information.
• If an email request is received from a seemingly familiar company, independently verify the company’s phone number and email address (do not use the one provided by a potential scammer) and call to confirm the legitimacy of the request.
• For payment and purchase requests, verify their authenticity in person if possible, or by calling the person or company involved.
• Always keep track of and verify any changes in account numbers or payment procedures directly with the person making the request.
• Additionally, closely scrutinize the email address, URL, and spelling in any correspondence, as scammers often use subtle differences to deceive their victims.
• Lastly, exercise common sense when conducting any online activity.

Additional preventive practices that the FBI recommends include the following:

• Be cautious about the information shared on social media, such as pet names, schools attended, family members, and birthdays, as these can help scammers guess passwords or answer security questions.
• Be mindful of what gets downloaded, and never open email attachments from unknown senders.
• Enable two-factor (or multifactor) authentication on any account that offers it, and never disable this feature.

The FBI also recommends that if all else fails and someone falls victim to a BEC scam, the most important thing to do is act quickly and notify the authorities and the relevant bank immediately. The sooner victims act, the more likely they are to regain their lost funds.

REWF Response

The FBI urges companies that become victims of REWF scams to report such incidents to the Bureau through its IC3.

Additional steps that companies may want to take if they have become victims of a BEC scam include:

• Immediately contacting their cyber insurance carriers. Unfortunately, some cyber insurance policies do not cover REWFs.
• Stopping payment order/reversal requests on any funds that were wired.
• Following the money, usually through subpoenas after a lawsuit is initiated against fictitious parties, to determine what banks the money flows to. REWF victims that act quickly enough before the money leaves the country may be able to recover significant portions of the stolen funds.

Due to anti-money laundering measures and the Sarbanes-Oxley Act of 2002, banks are often able to locate and identify fraudulent accounts, and it becomes a measure of determining if the bank is holding the stolen money in an escrow security account and how to get such funds back. Additionally, use of a private investigator is often warranted when the identity of individuals involved in the REWF and the laundering of the money are identified. The important point to keep in mind is that even in these dire circumstances, companies that act quickly and effectively significantly increase their chances of recovering the stolen funds.

Key Takeaways

• BEC scams frequently target real estate companies and are becoming more prevalent and more financially catastrophic. 
• Employers may want to make sure their employees are aware of these BEC scams and take all necessary precautions to avoid them.
• If anyone falls victim to a BEC scam, acting immediately and reporting the scam to the police and FBI through the IC3 and notifying the relevant bank can help with recovering lost funds. 
• The faster a victim acts, the more likely it is to recover its lost funds.
• A company’s cyber insurance policy may not cover BEC scams, meaning the company may be required to pay the intended recipient of the fraudulent transfer, multiplying the loss.