FBI: Business email compromise has resulted in $43 billion in losses since 2016; BEC attacks increased by 65% ​​between 2019 and 2021


The Federal Bureau of Investigation (FBI) reported that losses from business email compromise (BEC) attacks increased by 65% ​​between July 2019 and December 2021.

BEC or Email Account Compromise (EAC) attacks involve cybercriminals compromising the accounts of people responsible for making funds transfer requests.

Between June 2016 and July 2019, the FBI’s Internet Crime Complaint Center (IC3) received 241,206 complaints from domestic and international victims, totaling $43 billion in exposed losses.

The FBI listed banks in four Asian countries and Mexico as the main recipients of the illicit funds.

Losses due to BEC attacks on an upward trajectory

IC3 updated a public service alert from September 2019 that reported the amount lost to BEC scams between June 2016 and July 2019 at $26 billion.

Between October 2013 and December 2021, IC3 reported 116,401 BEC scams targeting Americans with exposed dollar losses amounting to $14.76 billion. Internationally, 5,260 victims lost $1.27 billion to BEC attacks.

In 2021, IC3 reported that BEC attacks were the largest contributor to cybercrime losses, with victims losing $2.4 billion across 19,954 complaints.

The FBI attributed the growth in BEC attacks to the COVID-19 pandemic which forced many businesses to transact online.

“In an era where employees continue to work remotely, it’s harder than ever to verify with a colleague whether the request is legitimate,” said Joseph Carson, chief security scientist and CISO advisory at Delinea. “When it seems urgent, most people will fall for such scams.”

Carson noted that proving BEC attacks is difficult because criminals are used to covering their tracks.

“The main challenge with BEC security incidents is that you need to provide proof that your account was indeed compromised and that the incident was not simply human error,” he added. “Because cybercriminals are really good at hiding their tracks, such evidence can sometimes be very difficult to gather.”

Based on current trends, the FBI predicted that financial losses from BEC attacks would only increase.

“We are not shocked by the figure in the FBI’s public service announcement,” said Andy Gill, principal security consultant at LARES Consulting. “In fact, that number is probably low given that a large number of incidents of this nature go unreported and are swept under the rug.

“BEC attacks continue to be one of the most active attack methods used by criminals because they work. If they didn’t work as well as they do, criminals would change tactics for some reason. something with a higher return on investment.

Main beneficiaries of illicit funds obtained through BEC attacks

Thai and Hong Kong banks were the main recipients of illegal funds acquired through BEC attacks in 2021.

“Based on financial data reported to IC3 for 2021, banks located in Thailand and Hong Kong were the top international destinations for fraudulent funds.”

China, the former primary destination for illicit funds from BEC attacks, came third in 2021, followed by Mexico and Singapore.

IC3 also recorded 59,324 US recipients of $9,153,274,323 in illicit funds from BEC scams between June 2016 and December 2021.

Similarly, 19,731 international recipients raised $7,859,268,158 through BEC scams.

Cryptocurrency in Illicit Transfer of BEC Funds

According to the FBI, the high degree of anonymity and high transaction speeds have helped scammers transfer their loot via virtual currencies.

The bad actors made direct transfers through the primary victims of the BEC or a second transfer through the victims of other cybercrimes.

Scammers tricked BEC scam victims into sending them funds to cryptocurrency deposit accounts in direct transfers. The crooks then converted the loot into cryptocurrency.

During the second transfer, the crooks tricked victims of other cybercrimes such as tech support into providing identification documents such as passports.

Scammers used these stolen documents to open cryptocurrency wallets and transfer illegal funds.

Tactics employed by crooks in BEC attacks

According to the FBI, BEC attacks leverage computer hacking or intrusion, social engineering tactics, and phishing to compromise work email accounts. Criminals exploit compromised email accounts for illegal fund transfers to accounts under their control.

BEC scammers usually succeed by posing as trusted or influential people. Their pool of victims includes small, medium and large businesses. Fraudsters also target individuals to gain access to their finances and valuable information.

According to the FBI, a mutation of the BEC scam involving the theft of cryptocurrency wallets, salary and tax records (W-2s), and personally identifiable information (PII) was rampant.

How to defend against BEC attacks

The FBI has outlined various measures to protect organizations against BEC attacks.

The agency recommended the use of multi-factor authentication for account changes.

Employees should also verify that emails are from the alleged sender by verifying the legitimacy of the email and sender URLs.

They should check for subtle misspellings of domain names and email addresses.

Likewise, employees should avoid sharing sensitive details such as login credentials and personally identifiable information through email messages.

Workers should use secondary channels to confirm transaction information and instructions they receive via email.

Frequent monitoring of financial accounts would also expose suspicious transactions and potential compromises.

Additionally, security teams need to ensure that employees can see all the details of an email.

The FBI says BEC attacks amounted to $43 billion in total exposed dollar losses out of the 241,206 complaints received between July 2016 and December 2021. #cybersecurity #respectdataClick to tweet

“It’s harder to spot a spear phishing attack on mobile than on desktop,” said Hank Schless, senior director of security solutions at Lookout. “Because mobile devices have smaller screens and a simplified user experience, this means you can’t preview link destinations or verify the identity of the sender. Many of the red flags we’re trained to spot on desktop are nearly impossible to see on mobile. »


Comments are closed.