Business Email Compromise Still Reigns
Last month, the Federal Bureau of Investigation released its 2018 Internet Crime Complaints Center (IC3). The annual report provides readers a glimpse into the types of cybercrimes being reported to the FBI and the trending threats the Bureau has responded to in the last year. In 2018 alone, the IC3 responded to over 350,000 complaints, an average of more than 900 a day, and observed an estimated $2.7 billion in financial losses as a result of reported cybercrime. Of the almost $3 billion in losses, Business Email Compromise (BEC) or Email Account Compromise (EAC) fraud accounted for nearly $1.3 billion of adjusted loss, equaling almost half of the overall reported losses for 2018.
Why is BEC so prevalent?
BEC/EAC scams cost nearly $1 billion more in adjusted losses than the next highest attack, Confidence/Romance scams, which reported a loss amount of $362 million. This significant difference shows the prevalence of BEC scams. When analyzing the market for stolen corporate email accounts, researchers from Digital Shadows found that corporate email accounts can be compromised for as little as $150. According to the FBI these scams, targeting both businesses and individuals, have resulted in $12 billion in losses since October 2013. There are plenty of opportunities for attackers, too; there are already more than 33,000 accounting email credentials already publicly exposed, and 12.5 million email archive files exposed across misconfigured online file stores.
Mitigating BEC risks
BEC scams are becoming increasingly profitable for threats actors, making it easier for adversaries to gain access to the valuable information that sits within email inboxes. Organizations may not be able to mitigate these issues entirely; however, tightening up processes will ensure data exposure is kept to a minimum.
• Update security awareness training content to include BEC scenarios.
• Develop BEC contingency plans per existing incident response/business continuity planning for ransomware and malware.
• Build in manual controls, as well as multiple person authorizations, to approve significant wire transfers in concert with wire transfer application vendors.
• Monitor for exposed credentials, including finance department emails and user accounts that could be used to perform account takeovers.
• Conduct ongoing assessments of executives’ digital footprints and take measures to remove sensitive data that could leave them exposed.
• Set limits for third parties who may inadvertently create risk. Contractors who back up their emails on Network Attached Storage (NAS) devices should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default.
In addition to these precautions, the IC3’s dedicated Recovery Asset Team (RAT), established in February 2018 to open more direct communication channels with financial institutions to help combat BEC/EAC fraud, has shown a recovery rate of 75%. Additionally, a new role at IC3 called Victim Specialists-Internet Crimes (VSIC) provides crisis intervention and critical resources to victims of cybercrime activity.
A look at other attacks
According to the FBI, extortion-style attacks also increased in 2018, rising 242% from the previous year and resulting in a reported $83 million in losses. The majority of extortion complaints handled by the IC3 were related to the mass sextortion campaigns being distributed in the latter half of the year.
Less common than BEC fraud, but noteworthy for its high financial impact, are payroll diversion scams. In this exploit, a threat actor gains access to an employee’s payroll account, disables any notifications that may alert the employee to account changes, and replaces the employee’s direct deposit information with their own. According to IC3’s statistics, payroll diversion averaged $1 million per incident compared to BEC’s almost $59,000. From the 100 complaints of victims reportedly affected by a payroll diversion scam, the combined losses totaled $100 million.
IC3 complaints and reported losses are increasing
Since 2014 complaints to IC3 have steadily increased, but 2018 saw an alarming escalation, with approximately 50,000 more complaints lodged than in 2017, or nearly 15 times more than the previous year’s gains.
The FBI maintains national and global partnerships with public and private industries and can bring the full weight of the entire U.S. intelligence community when conducting investigations. In the immediate aftermath of a potential incident or attack the FBI recommends companies:
• Follow the company emergency plan and start protecting data
• Call the local FBI field office
• Either preserve the original media as evidence or make a forensic image
• Conduct internal analysis from a copy rather than original (if possible)
• Gather all pertinent log files including DNS, firewall, proxy, system event logs, etc. Contact ISP for possibility of additional logs.
• Conduct damage assessment including damage valuation
The above information can be extremely helpful for investigators. Additionally, if you wish to file a direct complaint online, visit the Internet Crime Complaint Center.