Cryptocurrency in BEC Schemes on the Rise
April 16, 2021
Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.
The IC3 has received an increased number of BEC complaints involving the use of cryptocurrency. Cryptocurrency is a form of virtual asset that uses cryptography (the use of coded messages to secure communications) to secure financial transactions and is popular among illicit actors due to the high degree of anonymity associated with it and the speed at which transactions occur.
Two iterations of BEC scenarios have been identified through IC3 complaint information: a direct transfer to a cryptocurrency exchange (CE) or a "second hop" transfer to a CE. In both situations, the victim is unaware that the funds are being sent to be converted to cryptocurrency.
A CE is an entity in the business of exchanging fiat currency (government issued currency not backed by a commodity) to cryptocurrency. CEs routinely hold custodial accounts with traditional financial institutions (FIs) that are used for easy trading/exchanging for customers.
This iteration of the BEC/Cryptocurrency scam mirrors the traditional pattern of BEC incidents in the past. The victim entity will receive a spoofed or otherwise compromised email that contains doctored wire instructions provided by the bad actor; however, since the requested transfer is directed to a traditional financial institution (where the CE has a custodial account), it is not easily identified by the victim.
Second Hop Transfer
This iteration of the BEC/Cryptocurrency scam uses victims of other cyber-enabled scams such as Extortion, Tech Support, and Romance Scams. Often, these individuals provided copies of identifying documents such as driver's licenses, passports, etc., that are used to open cryptocurrency wallets in their names. Once received by the scammer, the victim's bank account can be used to receive BEC funds that are then instructed to transfer to a CE custodial account or even directly to the exchange itself.
While the use of cryptocurrency is regularly reported in other crime types seen at the IC3 (e.g., tech support, ransomware, employment), it was not identified in BEC-specific crimes until 2018, and even then, at minimal numbers. By 2019, reports had increased, culminating in the highest numbers to-date in 2020. Based on the data received, the IC3 expects this trend to continue into 2021.
Similar to the classic BEC scams that IC3 has been tracking since 2013, the average dollar loss associated with these incidents is much higher than other forms of fraud reported to the IC3; however, smaller transactions are not immune to the scheme. The annual reported loss associated with these incidents has climbed steadily since the first reported in 2018, topping $10M in 2020.
Suggestions For Protection