Business email compromise scams jumped a whopping 65% to a total of $43 billion in losses worldwide in just five years, from 2016 to 2021, according to a recent report by the FBI. During this period, over 140 countries received fraudulent transfers, with Thailand, Hong Kong, and China as the top 3 destinations.
In the US, the total victim count is 116,401, with a $14,762,978,290 total dollar loss. The findings are based on data and complaints from the Internet Crime Complaint Center (IC3), compiled since October 2013.
While disturbing, the findings are not exactly surprising. As businesses increasingly go digital, virtually all forms of cybercrime have risen in recent months, including ransomware and zero day attacks. The new approaches and the financial impact of business email compromise is putting organizations under added pressure, as cybercriminals find new ways of making their fraudulent requests appear believable.
According to the announcement, this increase can also be attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually.
Business email compromise (BEC) is a form of social engineering where cybercriminals send an email that appears to come from a known source making a legitimate request.
What are examples of business email compromise scams? The FBI cites the following:
BEC schemes would traditionally target businesses and individuals in finance, payroll, or accounts payable, who often respond to funds-transfer requests. However, they’re now expanding to bigger audiences.
In addition to transfer-of-funds requests, BEC schemes may involve compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets.
Similar to phishing, the problem with BEC is that it can often lead to more serious vulnerabilities and malware attacks. Cybercriminals attempt to lure users to click on a link or open an attachment that infects their device, creating a gateway for criminals into the corporate network.
BEC is one of the most financially damaging online crimes, while also easy to conduct. It exploits the increased reliance on email for personal and professional affairs, and the trust that victims have already established with third party institutions.
This sometimes makes business email compromise hard to detect, as it’s not as evident as clicking on a suspicious link or downloading a malicious file.
Scammers have refined their campaigns with techniques such as fake voice technology, website spoofing, fraudulent social media and employee profiles, in order to make their emails more believable. They often infiltrate a company’s network and create fake receivable accounts to conduct their scams.
According to SC Magazine, IC3 also reported the percentage of cryptocurrency-based complaints and losses increased significantly in 2021, with cybercriminals opting to request funds in the form of cryptocurrency because these transactions can occur quickly and tend to lack an audit trail. Cybercriminals have stolen cryptocurrency through both direct transfers to a crypto-exchange or an indirect or “second hop” transfer to an exchange, according to the IC3’s findings.
Our survey found that 76% of users change their passwords only when they have to. Are your vendors enforcing security standards that keep your business safe?
Get the latest research on password usage and learn how to protect credentials across your supply chain.
|This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
|The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
|This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
|This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
|This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".