An increasing number of recent business email compromise complaints involve the use of cryptocurrency, according to the FBI’s Internet Crime Complaint Center.
Business email compromise scams continue to grow and evolve, according to the FBI’s Internet Crime Complaint Center. Between July 2019 and December 2021, IC3 reported a 65% increase in global exposed losses, partly due to the increase in virtual business as a result of the pandemic.
BEC or email account compromise targets government agencies, businesses and individuals responsible for transferring funds. Scammers trick email or text recipients by posing as a manager or company vendor and asking them to transfer money into fake accounts.
In recent BEC scams, criminals send victims text messages that look like bank fraud alerts asking for confirmation that they transferred funds through a digital payment app. If the victim responds to the alert, the cybercriminal then calls from a number that appears to match the financial institution's legitimate 1-800 support number. Thinking the caller is helping them reverse the fake money transfer, victims are tricked into sending payment to the criminal’s bank account.
The popularity of cryptocurrency is also spawning BEC attacks.
The IC3 tracked two BEC scams where criminals took advantage of cryptocurrency to hide their tracks. One tricked a user into making a direct transfer to a cryptocurrency exchange. In the other, a "second hop" transfer to a CE involved criminals using extortion, fake tech support or romance scams to obtain the personal information they need to open a cryptocurrency wallet with the victim’s name. Then the scammer sends the victim payment instructions that direct funds into the new phony wallet, which the bad actor then cashes out. In both situations, the victim is unaware that the funds are being sent to be converted to cryptocurrency.
In a variation, according to IC3, criminals take over legitimate business accounts and email employees requesting their personally identifiable information, W-2 forms or even crypto currency wallets.
In another scam identified in an IC3 announcement, criminals contact cryptocurrency owners and alert them to a fictitious security problem with their crypto wallet. The scammers then convince the victim to either grant them access to their crypto wallet or transfer the contents of their wallet to another wallet to "safeguard" the contents. Fraudsters have also created phony support sites where they convince crypto owners to divulge login information or control of their crypto accounts.
Cryptocurrency was first identified in BEC crimes in 2018, and by 2021 it was already associated with over $40M in exposed losses, IC3 reported. Based on the increasing data received, the IC3 expects this cryptocurrency-themed BEC scams to continue growing.