Home / Blogs

Business Email Compromised (BEC) Scams Explode Under the GDPR Implementation

Business email compromised (BEC) attacks targeting American companies are exploding, with an increase of over 476% in incidents between Q4 2017 and Q4 2018. Up as well is email fraud with companies experiencing an increase of over 226%.

These highly targeted attacks use social engineering to identify specific company employees, usually in the finance department and then convince these employees to wire large sums of money to third-party banking accounts owned by the attackers.

While many older versions of phishing utilized malicious URLs or attachments to perpetrate their crimes, BEC criminals are much savvier, spoofing the actual company domains they’re targeting, creating convincingly realistic emails that employees believe are legitimate.

In addition, these fraudsters utilize a dynamite-fishing approach, sending vast numbers of these fake emails out under multiple spoofed identities to increasingly larger numbers of targets within the same organization. The idea is that eventually, someone will unwittingly fall for the scheme, rewarding the scammers with a huge financial windfall that has added up to almost $1.1 billion through July of this year alone.

These numbers align with the ones reported by the Federal Bureau of Investigation (FBI) in July 2018. The FBI report stated that BEC scams have continued to grow and evolve and are targeting businesses of all sizes, from large to small, and now includes personal transactions as well. They also reported that between December 2016 and May 2018, there was a 136% increase in identified global exposed losses and that the scams have been reported in all 50 states and in 150 countries.

Critics of the recent GDPR privacy rule enactment point to this sharp rise in cyber crime as a direct result of an unintended interpretation of the regulation that allows criminals to effectively mask their identities online. As discussed before in this blog, registrars, faced with the potential of massive fines for GDPR violations, have resorted to overly cautious approaches when it comes to revealing any private information on their registrants. In many cases, registrars are refusing to share any information with anyone, including organizations and brand holders with legitimate public safety concerns. This approach to privacy has led to the unintended consequence of making it easier for individuals and/or entities with less than honorable intentions to effectively disappear online.

Faced with the ability to create malicious domains and operate online with anonymity, criminals are registering websites and email addresses created specifically to spoof legitimate businesses and employees. As a result, cybercrime has grown into a $600 billion a year business, and is expected to continue to grow until these issues are resolved.

While the ability to track down these individuals has been hampered, the authorities are doing what they can to curtail these digital criminals.

Federal prosecutors in California recently arrested 14 people and charged 66 more with fraud in a conspiracy they say was tied to Nigeria and intended to defraud millions of dollars out of victims. Details on the charges emerged on Thursday following the unsealing of an indictment including allegations of even more BEC attacks.

Officials report that the case is part of an ongoing effort to protect American citizens and businesses from fraudulent online schemes.

United States Attorney Nick Hanna released a statement concerning the indictment: “Today, we have taken a major step to disrupt criminal networks that use BEC schemes, romance scams and other frauds to fleece victims. This indictment sends a message that we will identify perpetrators—no matter where they reside—and we will cut off the flow of ill-gotten gains.”

These arrests and charges are just a small drop in a much larger bucket of cybercriminal issues, a bucket that will continue to grow until the unintended loophole of anonymity is effectively closed and cybercriminals are no longer allowed to operate with impunity.

By Frederick Felman, Former Chief Marketing Officer at AppDetex

Filed Under


Criminals don't list their details in whois Mark Jeftovic  –  Oct 7, 2019 6:29 PM

The connection to the rise in this type of fraud to GDPR is very tenuous. It’s not like criminals listed real info in whois before GDPR came along. The Whois Accuracy Process also does absolutely nothing to curtail this, despite it being the stated aim of the program.

Criminals lie.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

New TLDs

Sponsored byRadix