FBI: BEC scams accounted for half of the cyber-crime losses in 2019


FBI IC3 report

Image: FBI

The FBI received 467,361 internet and cyber-crime complaints in 2019, which the agency estimates have caused losses of more than $3.5 billion, the bureau wrote in its yearly internet crime report released today.

The FBI said that almost half of the reported losses — an estimated $1.77 billion — came from reports of BEC (Business Email Compromise), also known as EAC (Email Account Compromise) crimes.

BEC/EAC is a sophisticated scam targeting businesses and individuals performing wire transfer payments.

“At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception,” the FBI said back in 2017, when it started receiving an increased number of BEC scams reports.

A typical BEC scam happens after hackers either compromise or spoof an email account for a legitimate person/company. They use this email account to send fake invoices or business contractors. These are sent to employees in the same company, or upstream/downstream business partners.

The idea is to trick counterparts into wiring money into the wrong bank accounts.

BEC scams are popular because they’re (1) dead simple to execute, and (2) don’t require advanced coding skills or complex malware.

According to the FBI’s 2019 Internet Crime Report, BEC scams were, by a considerable margin, the most damaging and effective type of cyber-crime last year in 2019.

Only 23,775 BEC victim accounted for $1.77 billion in losses for victims, which is on average $75,000/complaint.

In comparison, phishing/smishing/vishing accounted for $500 in losses per complaint, while ransomware averaged $4,400.

fbi-charts.png

Image: FBI

“In 2019, the IC3 observed an increase in the number of BEC/EAC complaints related to the diversion of payroll funds,” the FBI said.

“In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a pre-paid card account.”

Ransomware situation

Another point of interest in the FBI’s internet crime report for 2019 was ransomware. Last year, we saw a decrease in the number of complaints and a rise in the amount of losses caused by ransomware incidents.

This year, losses continued to increase, but the number of ransomware incidents spiked right back up. All in all, the report’s findings are surprising.

2019 has been a year flooded with news about ransomware infections hitting left and right. Companies in the private sector, managed service providers, schools, and municipalities have been hit the most.

According to reports from Armor and Emsisoft, ransomware crew took US entities in their sights last year. Emsisoft reported that ransomware hit in 2019:

  • 113 state and municipal governments and agencies.
  • 764 healthcare providers.
  • 89 universities, colleges and school districts, with operations at up to 1,233 individual schools potentially affected.
Year 2013 2014 2015 2016 2017 2018 2019
Complaints 991 1,402 2,453 2,673 1,783 1,493 2,047
Losses $539,562 $490,577 $1,620,814 $2,431,261 $2,344,365 $3,621,857 $8,965,847

While not all entities might have filed reports with the FBI’s IC3, the FBI’s report reflects what we’ve seen from independent third-party reporting.

2018 was a down year for ransomware gangs as there was a general shift in tactics from mass-email distribution to individual attacks targeted at a very few, but very high-profile targets.

As ransomware these new mode of operation became more popular in 2019, new ransomware gangs joined the fold, increasing the number of attacks we saw in 2018.

According to multiple experts, both BEC and ransomware attacks are expected to continue to rise in 2020, as there’s little to deter cyber-crime groups from launching new operations.

Additional details and statistics are available in the FBI’s 2019 Internet Crime Report, here [PDF].

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *