FBI: Business Email Compromise attacks have resulted in more than $43 billion in losses since 2016
More than $43 billion has been lost to business email compromise and email account fraud since 2016, according to data released by the FBI on Wednesday.
The FBI and its Cybercrime Complaints Center (IC3) said in an alert that combining nationally and internationally discovered dollar losses from June 2016 through December 2021 found that 241,206 incidents generated $43.31 billion.
The figures come from incidents reported to IC3, law enforcement and filings with financial institutions.
BEC scams are popular attacks in which hackers use social engineering or computer manipulation to compromise legitimate business or personal email accounts before performing unauthorized fund transfers.
The FBI noted that there are now variations of the scam that involve stealing employee personal information, payroll and tax return (W-2) forms, or even cryptocurrency wallets
Andy Gill, senior security adviser at LARES Consulting, said the numbers in the report are likely on the low end of the actual numbers, as a large number of incidents go unreported.
BEC attacks are often performed by a threat actor phishing their initial target to gain access to email inboxes, Gill said, noting that from there they typically scan inboxes for high-value threads, such as: B. Discussions with suppliers or discussions with others within the company to initiate further attacks either against employees or external parties.
FBI Assistant Director Paul Abbate said BEC crimes resulted in 19,954 complaints in 2021 alone, with an adjusted loss of nearly $2.4 billion.
The FBI found that there was a 65% increase in identified global damages between July 2019 and December 2021, attributing the sharp increase to the COVID-19 pandemic.
“The BEC scam has been reported in all 50 states and 177 countries, with over 140 countries receiving fraudulent transfers,” the FBI said.
“Based on financial data reported to IC3 for 2021, banks in Thailand and Hong Kong were the top international targets for fraudulent funds. China, which has been among the top two destinations in previous years, took third place in 2021, followed by Mexico and Singapore.”
The FBI found that between October 2013 and December 2021 there were 116,401 BEC scams against US citizens reported in complaints to the IC3, resulting in a disclosed dollar loss of $14.76 billion.
Law enforcement received 5,260 complaints from non-US victims, resulting in $1.27 billion in losses.
Over the past few years, an increasing number of victims have come forward to complain about BEC attacks focused on cryptocurrencies.
“By 2019, reports increased, reaching their highest number ever in 2021 with just over $40 million in disclosed losses,” the FBI said.
Several security experts said the shift to teleworking and home learning during the COVID-19 pandemic has fueled the rise in BEC attacks.
Delinea’s advisory CISO, Joseph Carson, said it’s harder than ever to verify with a colleague that the request is legitimate.
“When it seems urgent, most people fall for such scams. The biggest challenge with BEC security incidents is that you have to prove that your account was actually compromised and that the incident wasn’t just the result of human error,” Carson explained.
“Because cybercriminals are very good at covering their tracks, gathering evidence like this can sometimes be very difficult. Victims sometimes prefer not to report incidents when the amount is quite small.”
JupiterOne’s Sounil Yu noted that BEC actors have a whole support structure that makes the scams possible.
A key element of the support structure, according to Yu, is the function of money mules, which are people who move the stolen funds and allow BEC actors to access the funds.
“Broader awareness campaigns and tougher (and public) penalties for money mules could reduce the supply of money mules and subsequently hamper the ability for BEC actors to steal the embezzled funds,” Yu said.
“If those money transfers can be slowed or stopped, victims have an opportunity to reclaim those funds if they suspect foul play.”