The Federal Bureau of Investigation's 2019 annual Internet Crime Report included 467,361 complaints about suspected internet crime with losses of $3.5 billion. Of those cases, 23,775 of them were business email compromises (BEC). $1.7 billion, or roughly half, of the total losses in 2019 were attributed to generic email account compromise (EAC) complaints.
The back of the napkin math isn't pretty. Taking into account unknowables, we're talking about a ballpark cost of roughly $75,000 per BEC-related complaint. That is exponentially more expensive than other cyber events. Consider that the average cost for a ransomware attack against a business is about $4,400, and your run of the mill phishing incident weighs in at a much less hefty $500. Perhaps most importantly, the FBI report's 2019 numbers are significantly higher figure than the reported $1.3 billion in BEC scam-related losses the year before.
While BEC scams had the highest financial impact, it's worth noting other ishing scams had the highest number of reported incidents in 2019, with 114,702 victims and $57 million in damages, followed by 38,218 reports of personal data breaches and 16,053 reports of identity theft: the scammers collective haul was $120 million and $160 million respectively.
So Isn't BEC Just Another Form of Phishing?
BEC has a home In the pantheon of ishings. Also known as "CEO fraud" and "W2 fraud," BEC is a very damaging form of phishing--one that riffs off the whaling method, where the hacker's goal is to trick a c-suite employee into clicking a link or opening an attachment. BEC turns the whaling method around, spoofing the email of a higher-up and sending an urgent communication to someone in a position to wire money. But it takes other forms. With the W2 variety, a citizen of the c-suite requests all the W2s from human resources or accounting--thereby collecting a rich file of personally identifiable information that can be used to commit tax-related fraud as well as all stripe of identity theft.
"BEC/EAC is a sophisticated scam targeting both businesses and individuals performing a transfer of funds," explained the report. "The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds."
The report warned that the methods used by hackers to perpetrate BEC scams were becoming more complicated and difficult to detect.
"BEC/EAC is constantly evolving as scammers become more sophisticated...BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Over the years, the scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards," stated the report.
The report also noted an uptick in BEC scams targeting payroll funds in 2019.
"In this type of scheme, a company's human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a pre-paid card account."
One bright spot in the report was the first full operational year of the IC3's Recovery Asset Team (RAT), which was formed to help victims of BEC schemes get back stolen funds. Functioning as a liaison between law enforcement and financial institutions, the RAT has already enabled the recovery of more than $304 million of the $384 million stolen in 1,307 incidents in 2019.
But don't let the 79% recovery rate lull you into a false sense of security. The loss of time, worker focus and business opportunities can be catastrophic is the aftermath of an attack, and is yet another reason no company should be without a robust cyber insurance policy in place.
It's Time to Do Something
The FBI regularly warns businesses, non-profit organizations, and governments about the dangers posed by BEC scams.
In September 2019, the Bureau announced that the losses from BEC scams had doubled between May 2018 and July 2019. This was shortly followed by a worldwide enforcement operation that included the cooperation of the U.S. Department of Justice, the U.S. Department of Homeland Security, the U.S. Department of the Treasury, the U.S. Postal Inspection Service, and the U.S. Department of State. It led to 281 arrests worldwide and 74 arrests in the United States--all for BEC-related offenses.
"The devastating effects these cases have on victims and victim companies affect not only the individual business but also the global economy," wrote the U.S. Department of Justice of the operation.
Despite these efforts, losses from BEC scams are expected to continue to rise in 2020.
The FBI and IC3's provides guidance for victims of BEC scams. Here is the post-BEC to-do list:
Contact the originating financial institution once fraud is identified.
File a detailed complaint on the IC3's website, ic3.gov.
Follow up regularly on ic3.gov for public service announcements regarding BEC tends.
Verify any payment charges with the intended recipient.
Most importantly, the FBI encourages victims of cybercrime to continue to file reports to law enforcement.
"Information reported to the IC3 helps the FBI gain a better understanding of cyberadversaries and the motives behind their activities... Working together we hope to create a safer, more secure cyber landscape ensuring confidence as we traverse through a digitally-connected world," concluded the opening message of the report from the FBI Cyber Division's Assistant Director Matt Gorham.
While there is no solution to the scourge of email-related crimes, we can all help put into practice behaviors that make it harder for the scammers to succeed. Establishing a general work culture where caution is encouraged is the first order of business. In a work environment where the dangers are manifold and more or less non-stop, a cultural shift needs to happen. We need to always assume that a scam may be afoot, and proceed accordingly. Our motto: "Distrust AND verify." A culture of caution has never been more important.