Arun Varghese


Current email security solutions depend on various attributes to reduce the chances that a given email (mail) is likely to be a threat. However, current solutions make it relatively easy to target corporate organizations with a Business Email Compromise (BEC) attack. A BEC attack is a non-malicious mail which defrauds key people in organizations into performing, for example, wire transfers meant for the suppliers or partners abroad.

The U.S. Federal Bureau of Investigation (FBI) has been tracking BEC, also known as email fraud and email account compromise (EAC), domestically and globally since October 2013. The recent trends related to fraudulent wire transfers and unauthorized disclosures of employee data are alarming:

  • Total identified global exposed losses now exceed $12.5 billion (up from $5.3 billion in December 2016).
  • More than 30,000 victim complaints were submitted between June 2016 and May 2018 via the recently launched Internet Crime Complaint Center (IC3) compliant form.
  • BEC scams targeting the real estate sector rose more than 1,100% between 2015 and 2017.
  • Wage and tax documentation BEC scams extend the threat beyond wire transfers and continue to grow. The US Internal Revenue Service (IRS) indicated it received approximately 900 reports of Form W-2 scams in 2017 (compared to just over 100 reports in 2016).

The problem is that there is no absolute way to understand if a mail was sent from a particular sender to a group of recipients.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.