FBI: BEC Losses Totaled $1.7 Billion in 2019Business Email Compromises Accounted for Nearly Half of Cybercrime Losses Last Year
Cybercrime led to $3.5 billion in losses in the U.S. last year, with a sharp uptick in business email compromise scams – which accounted for nearly half those losses, according to a newly released FBI Internet Crime Report, which is based on complaints the FBI received.
Donna Gregory, the head of the FBI’s Internet Crime Complaint Center, or IC3 – which issued the report - notes that the FBI didn't see an uptick in new types of fraud but rather saw criminals deploying new tactics and techniques to carry out existing scams, which helped the fraudsters increase their ill-gotten payouts.
"Criminals are getting so sophisticated," Gregory says. "It is getting harder and harder for victims to spot the red flags and tell real from fake."
Overall, the IC3 received 467,361 reports of internet-related crimes last year, averaging about 1,300 complaints daily, according to the report. The FBI received nearly 24,000 complaints about BEC scams last year, with a total loss of $1.7 billion and an average loss of about $72,000, according to the report.
By comparison, 2,047 ransomware attacks reported to the FBI last year led to losses of about $8.9 million, the report shows (see: DoppelPaymer Ransomware Gang Threatens to Dump Victims' Data).
BEC Scam Trends
BEC scams, also referred to as CEO fraud, typically start with attackers stealing the email credentials of a top executive through phishing or other methods, according the FBI report.
The attackers then impersonate that executive, sending urgent messages to lower-level employees to transfer or wire money to bank accounts. These scams, which typically involve a criminal spoofing a legitimate email address, have given fraudsters a low-cost way to target potentially high-value victims, the FBI says.
In the IC3 report, FBI agents noted an increase in the number of BEC complaints related to fraudsters targeting payroll funds in order to divert that money to their accounts, according to the report.
"In this type of scheme, a company's human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period," according to the report. "The new direct deposit information generally routes to a pre-paid account."
In January, security firm Agari described another variation on BEC scams, where some cybercriminals focus on accessing companies' financial documents, which provide useful information to support the theft of funds (see: BEC Fraudsters Targeting Financial Documents: Report).
Last July, the U.S. Treasury Department's Financial Crimes Enforcement Network published a report that found BEC scams were surging, with manufacturing and construction firms getting hit the hardest (see: BEC Scams Cost U.S. Companies $300 Million Per Month: Study).
Fraudsters are using BEC scams because they’re relatively easy to launch, Sherrod DeGrippo, senior director of threat research and detection at security firm Proofpoint.
"All it takes is one spoofed, socially engineered email that plays on human nature to respond quickly and act," DeGrippo tells Information Security Media Group. "It's far easier to manipulate one person to click on an email, provide their login credentials, download a PDF from a cloud application, or wire funds to a fraudulent bank account. Email is a more lucrative and effective approach than targeting infrastructure itself."
One way to counter these schemes is to create a layered defense that includes security within the cloud, at the edge of the network, the email gateway and the endpoint itself to help reduce the probability that the initial phishing finds the first victim that opens the door to the larger scam, DeGrippo says.
Arrests Made Last Year
As the number of BEC and related scams continues to increase, the FBI, Justice Department and local law enforcement have started to make more arrests related to these types of cybercrimes.
In a global crackdown last September, 281 suspects were arrested as part of the four-month investigation called "Operation reWired." Most of the arrests were made in Nigeria, which continues to be a hub of these types of scams (see: Business Email Compromise Crackdown: 281 Suspects Busted).
And in August 2019, 80 suspects were indicted by the U.S. Justice Department for running a global business email compromise scam that led to millions of dollars in fraud and allegedly involved a complex money-laundering operation (see: 80 Indicted for Scams, Including Business Email Compromises).
Managing Editor Scott Ferguson contributed to this report.