Investor Toolkit

New online financial scam costs victims $130K per attack

Key Points
  • "Business-email compromise" scams target financial services firms and their clients through phishing.
  • A successful attack nets an average $130,000 loss per scheme.
  • Between 2013 and 2016, these schemes have resulted in a total dollar loss of $5.2 billion.
Linus Strandholm | EyeEm | Getty Images

If you get an email from a seemingly trusted source asking you to wire some money or share some sensitive information, it might be best to hit the delete button.

That email just might be a phishing attempt in a business-email compromise scheme, or BEC — a new scam that's resulted in a $5.2 billion loss between Oct. 1, 2013, and Dec. 31, 2016, according to the Federal Bureau of Investigation.

This latest twist on ripoffs was the subject of a Wednesday panel at TD Ameritrade's National LINC conference in Orlando.

More from Investor Toolkit:
New broker rules aim to curb elder fraud
Cryptocurrency and taxes: What you need to know
An $11 million opportunity: It's time to talk about estate planning

"Your firm is always at risk," said Stephen Dougherty, a panelist and financial fraud investigator with Firebird Analytical Solutions & Technologies.

Hackers who excel at this scam are well rewarded for their efforts. A successful attack averages a $130,000 loss per scheme, according to Dougherty.

In comparison, a traditional bank robbery averages a $3,816 loss per successful act.

This is how hackers exploit advisors and their clients.


Hackers find ways to break through companies' defenses. For instance, a crime ring might gather information on a business and attack employees through phishing emails.

Crooks may impersonate clients in an attempt to fool employees at the firm into wiring money to them. See below for an illustration.

Double the pain

Firms that have fallen victim to ransomware attacks — wherein a hacker will take possession of data and hold it for a specified amount of money — tend to get burned twice.

"They don't just hold your data, they parse through it and exploit it later," said Dougherty.

Firms that were victims of business-email compromise schemes were often victims of ransomware attacks just months earlier, he said.

Though local, state and federal law-enforcement authorities may collaborate to pursue schemers, the firm itself is often its own first line of defense.

See below for tips on how to safeguard yourself against a data breach.