More than $3.9bn lost to BEC scams


By Dylan Bushell-Embling
Thursday, 14 July, 2016

More than $3.9bn lost to BEC scams

Organisations worldwide have lost more than US$3 billion to business email compromise (BEC) scams, with more than 400 businesses hit with such scams daily, research from Symantec indicates.

BEC scams, also known as CEO fraud, involve scammers sending spoofed emails purportedly from CEOs or other high-ranking executives requesting large money transfers.

Such attacks require little technical expertise but can be very lucrative, which makes them attractive for cybercriminals. Symantec notes the example of Austria’s aerospace components maker FACC, which recently fired its CEO after losing US$50 million ($65.7 million) to such a scam.

Data from Symantec’s email security team indicates that SMEs are the most frequent targets of BEC scammers, accounting for 38% of attacks.

The next largest category is the financial sector, at 14%, followed by health care and technology (8% apiece), energy (7%), retail (5%), education (3%) and travel (2%). The remaining 15% of victims fall into the “other” category.

The data show that hundreds of organisations are receiving BEC scam emails every day. Among these, at least two employees will be targeted with a BEC email, most commonly senior financial staff.

FBI statistics meanwhile indicate that there have been 22,000 victims of BEC fraud globally in the past three years, which together lost over US$3 billion ($3.94 billion) to the scams.

BEC emerged as an evolution of the well-known 419 scams originating from Nigeria, and as a result 46% of the email addresses used by scammers in the cases Symantec evaluated came from the country. One such group of scammers was responsible for 12% of BEC email traffic observed.

BEC scammers commonly use one- or two-word subject lines to avoid suspicion and make them harder to filter. The most common subject line is “Request” 25%, followed by “Payment” (15%) and “Urgent” (10%), with most of the remainder being variations on these themes.

To protect against BEC scams, Symantec advises professionals to question any emails that seem unusual or aren’t following normal procedures to abstain from replying to any emails that seem suspicious — instead obtaining the sender’s address from the corporate address book to ask them about the message — and to use two-factor authentication for initiating wire transfers.

Related Articles

Accelerating the adoption of passkeys without compromising user experience

We need authentication methods that remove the human element from the equation, and that's...

Modern CISOs must throw out the traditional cybersecurity playbook

The primary imperative for today's CISOs should be to align the security agenda with business...

AI agents: securing the 'artificial workforce'

Just as they would with new employees, security teams will need to define access policies for...

Content from other channels on our network

City of Sydney plans all-electric future

Companies fined almost $1m after apprentice's death

WBT's YellowDuct: Australia's Leading Solution for Fibre Cable Management

Accreditation for Aust lighting businesses

Renewable energy skills program launched

Excite Cyber expands its partnership with the AFP

DTA releases guide to reducing ICT waste in the APS

Financially vulnerable citizens less likely to use digital council services

DTA announces AI Government Showcase event

NSW Auditor-General releases cybersecurity insights report

Aust businesses face connectivity challenges, report shows

ARCIA update: LMR is still important

Two-thirds of Connecting Victoria projects now complete

Remote monitoring in remote environments: overcoming challenges

ACMA proposes forgoing auctions for spectrum licence renewals

  • All content Copyright © 2025 Westwick-Farrow Pty Ltd