American company lost $100 million to BEC fraud

US prosecutors confirmed on Thursday that an American firm lost nearly $100 million in a BEC (business email compromise) scam.

The Reuters Agency reported that an unidentified American company was the victim of a clamorous email fraud, scammers have stolen from the firm nearly $100 million.

According to the US authorities, fraudsters used a fake email address in order to pose as one of its legitimate business partners.

Reuters reported the US authorities have filed a civil forfeiture lawsuit in federal court in New York seeking to recover nearly $25 million derived from the fraud which is being held in at least 20 bank accounts around the world.

The authorities confirmed about $74 million has been returned to the US company.

According to Tom Brown, a former Manhattan federal prosecutor the complaint filed on Thursday “appears to be the largest email scam that I’ve seen.”

This is another clamorous case of BEC (business email compromise) scam suffered by a US company. A week ago, a report issued by the FBI revealed that cyber criminals have pilfered more than $2.3bn from 17,642 victims since 2013 with BEC attacks.

It is a critical situation, the number of business email compromise BEC scams continues to increase on a global scale.

“The Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Formerly known as the Man-in-the-E-mail Scam, the BEC was renamed to focus on the “business angle” of this scam and to avoid confusion with another unrelated scam.” reports the statement issued in 2015 by Internet Crime Complaint Center (IC3) and the FBI.

The BEC scam has been going on from August to September and was discovered when a Cyprus-based bank noticed suspicious transfers.

According to authorities, the scammers created a fake email address that resembled that of one of the company’s vendors in Asia.

“The perpetrators then posed as a vendor while communicating with a professional services company that was hired to handle the details and logistics of vendor payments for the American corporation, the lawsuit said.” states the Reuters.

The lawsuit reported that scammers convinced the American company to send $98.9 million to an account at Eurobank Cyprus Ltd, which is the bank that noticed the suspect transfers.

The Eurobank without any forcing restrained nearly $74 million of the funds in September.

“The remaining $25 million was laundered through other accounts in locations including Cyprus, Latvia, Hungary, Estonia, Lithuania, Slovakia, and Hong Kong, authorities said.” continues the lawsuit.

The prosecutors have followed the money across banks worldwide, they requested foreign governments to restrain the accounts used in the BEC scam and 20 of them have refunded the stolen funds.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cybercrime, BEC attacks)