Hacker at desktop using laptop with emails in background showing Business Email Compromise BEC attacks

FBI: Business Email Compromise Resulted in Losses of $43 Billion Since 2016; BEC Attacks Increased by 65% Between 2019 and 2021

The Federal Bureau of Investigation (FBI) reported losses from business email compromise (BEC) attacks increased by 65% between July 2019 and December 2021.

BEC attacks or Email Account Compromise (EAC) involve cybercriminals compromising the accounts of individuals responsible for making fund transfer requests.

Between June 2016 and July 2019, the FBI’s Internet Crime Complaint Center (IC3) received 241,206 complaints from domestic and international victims, amounting to $43 billion in total exposed dollar loss.

The FBI listed four Asian countries’ banks and Mexico as the primary recipients of illicit funds.

Losses from BEC attacks on an upward trajectory

IC3 updated a September 2019 public service alert that reported the amount lost through BEC scams between June 2016 and July 2019 at $26 billion.

Between October 2013 and December 2021, IC3 reported 116,401 BEC scams targeting Americans with exposed dollar losses amounting to $14.76 billion. Internationally, 5,260 victims lost $1.27 billion through BEC attacks.

In 2021, IC3 reported BEC attacks as the biggest contributor to cybercrime losses, with victims losing $2.4 billion from 19,954 complaints.

The FBI attributed the growth of BEC attacks to the COVID-19 pandemic that forced many businesses to complete transactions online.

“At a time when employees continue to work remotely, it is more difficult than ever to verify with a colleague whether the request is legitimate,” Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea said. “When it appears to be urgent, most people will fall for such scams.”

Carson noted that proving BEC attacks was challenging because criminals are experienced in hiding their tracks.

“The major challenge with BEC security incidents is that you have to provide evidence that your account was indeed compromised and the incident was not just human error,” he added. “With cybercriminals being really good at hiding their tracks, such evidence can sometimes be very difficult to gather.”

Based on the current trends, the FBI predicted that financial losses from BEC attacks would only continue to increase.

“We’re not shocked at the figure stated in the FBI Public Service Announcement,” Andy Gill, Senior Security Consultant at LARES Consulting, said. “In fact, this number is likely low given that a large number of incidents of this nature go unreported and are swept under the rug.

“BEC attacks continue to be one of the most active attack methods utilized by criminals because they work. If they didn’t work as well as they do, the criminals would switch tactics to something with a larger ROI.”

Primary recipients of illicit funds obtained through BEC attacks

Thailand and Hong Kong banks were the primary recipients of illegal funds acquired through BEC attacks in 2021.

“Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds.”

China, the previous top destination for the illicit funds from BEC attacks, emerged third in 2021, followed by Mexico and Singapore.

IC3 also recorded 59,324 U.S. recipients of $9,153,274,323 in illicit funds from BEC scams between June 2016 and December 2021.

Similarly, 19,731 international recipients collected $7,859,268,158 from BEC scams.

Cryptocurrency in illicit BEC funds transfer

According to the FBI, the high degree of anonymity and the high transaction speeds aided scammers in transferring their loot via virtual currencies.

Bad actors completed direct transfers via primary BEC victims or a second hop transfer via victims of other cybercrimes.

The scammers tricked BEC scam victims into sending funds to cryptocurrency custodial accounts in direct transfers. The scammers later converted the loot into cryptocurrency.

In the second hop transfer, the scammers tricked the victims of other cybercrimes such as tech support to provide identifying documents such as passports.

The scammers used these stolen documents to open cryptocurrency wallets and transfer illegal funds.

Tactics employed by scammers in BEC attacks

According to the FBI, BEC attacks leverage hacking or computer intrusion, social engineering tactics, and phishing to compromise business email accounts. The criminals exploit the compromised email accounts for illegal fund transfers to accounts under their control.

BEC scammers are usually successful by impersonating trusted or influential individuals. Their victim pool includes small, medium, and large businesses.  Fraudsters also target individuals to gain access to their finances and valuable information.

According to the FBI, a mutation of the BEC scam involving the theft of cryptocurrency wallets, Wage and Tax Statement (W-2), and personally identifiable information (PII), was rampant.

How to defend against BEC attacks

The FBI outlined various steps to protect organizations against BEC attacks.

The agency recommended the use of multi-factor authentication to account changes.

Employees should also verify that emails originate from the purported sender by checking the legitimacy of the sender’s email and URLs.

They should check for subtle misspellings of domain names and email addresses.

Similarly, employees should avoid sharing sensitive details such as login credentials and identifiable personal information via email messages.

Workers should use secondary channels to confirm transaction information and instructions they receive via emails.

Frequent monitoring of financial accounts would also expose suspicious transactions and potential compromise.

Additionally, security teams should ensure that employees can view the full details of an email.

FBI says BEC attacks amounted to $43 billion in total exposed dollar losses from the 241,206 complaints received between July 2016 and December 2021. #cybersecurity #respectdataClick to Tweet

“It’s harder to spot a spear-phishing attack on mobile than it is on a desktop,” Hank Schless, Senior Manager, Security Solutions at Lookout, said. “Since mobile devices have smaller screens and a simplified user experience, which means you can’t preview link destinations or verify the sender’s identity. A lot of the red flags we’re trained to spot on desktops are nearly impossible to see on mobile.”