More than $43 billion has been lost through Business Email Compromise and Email Account Compromise scams since 2016, according to data released Wednesday by the FBI.
The FBI and its Internet Crime Complaint Center (IC3) said in an alert that when it combined domestic and international exposed dollar loss from June 2016 and December 2021, it found that $43.31 billion was taken across 241,206 incidents.
The figures are derived from incidents reported to IC3, law enforcement and filings with financial institutions.
BEC scams are popular attacks where hackers compromise legitimate business or personal email accounts through social engineering or computer intrusion before conducting unauthorized transfers of funds.
The FBI noted that there are now variations of the scam involving the theft of employees’ personally identifiable information, Wage and Tax Statement (W-2) forms or even cryptocurrency wallets
Andy Gill, senior security consultant at LARES Consulting, said the numbers in the report are likely the low end of the actual figures given that a large number of incidents go unreported.
BEC attacks are often conducted by a threat actor phishing their initial target to gain access to email inboxes, Gill said, noting that from there, they will typically search inboxes for high-value threads, such as discussions with suppliers or discussions with others within the company, to initiate further attacks either against employees or external parties.
Paul Abbate, deputy director of the FBI, said BEC crimes led to 19,954 complaints with an adjusted loss of nearly $2.4 billion in 2021 alone.
The FBI noted that there was a 65% increase in identified global exposed losses between July 2019 and December 2021, attributing the stark increase to the COVID-19 pandemic.
“The BEC scam has been reported in all 50 states and 177 countries, with over 140 countries receiving fraudulent transfers,” the FBI explained.
“Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds. China, which ranked in the top two destinations in previous years, ranked third in 2021 followed by Mexico and Singapore.”
The FBI found that there were 116,401 BEC scams targeting US citizens that were reported in complaints to the IC3 between October 2013 and December 2021 resulting in an exposed dollar loss of $14.76 billion.
The law enforcement agency got 5,260 complaints from non-US victims that resulted in $1.27 billion in losses.
In recent years, more victims have come forward to complain of BEC attacks centered around cryptocurrency.
“By 2019, reports had increased, culminating in the highest numbers to-date in 2021 with just over $40M in exposed losses,” the FBI explained.
A chart of cryptocurrency-related BEC scams. Image: FBI
Several security experts said the move to teleworking and learning from home during the COVID-19 pandemic spurred the increase in BEC attacks.
Delinea CISO Joseph Carson said it is harder than ever to verify with a colleague whether the request is legitimate.
“When it appears to be urgent, most people will fall for such scams. The major challenge with BEC security incidents is that you have to provide evidence that your account was indeed compromised and the incident was not just human error,” Carson explained.
“With cybercriminals being really good at hiding their tracks, such evidence can sometimes be very difficult to gather. Victims sometimes prefer not to report incidents if the amount is quite small.”
JupiterOne’s Sounil Yu noted that BEC actors have an entire support structure enabling the scams.
One key element of the support structure, according to Yu, is the function of money mules, who are individuals that move the stolen funds and enable BEC actors to access the funds.
“Broader awareness campaigns and stricter (and public) penalties for money mules could reduce the supply of money mules and subsequently, hinder the ability for BEC actors to steal the misappropriated funds,” Yu said.
“When those fund transfers can be slowed or stalled, it gives victims a chance to claw back those funds when they suspect foul play.”