BEC Scams Responsible for $1.2B in Losses in 2018 | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

BEC Scams Responsible for $1.2B in Losses in 2018

by Chris Brook on Monday April 29, 2019

Contact Us
Free Demo

It sounds like business email compromise attacks, attacks that rely on tricking recipients, usually executives, into conducting wire transfers, aren't going away anytime soon.

The scams net attackers $1.2 billion last year according to the FBI's Internet Crime Report, released last week. (.PDF)

The bureau’s Internet Crime Complaint Center, formed in 2000, fields 900 complaints a day, a number that adds up to about 300,000 internet crime complaints a year. The annual report recaps all things cybercrime.

That’s a 92 percent increase in reported losses from BEC attacks in 2017 and almost double the amount lost that year: $675 million.

The number accounts for nearly half of the $2.7 billion in losses reported to the IC3 last year. The figure, which correlates to 351,936 incidents overall, also reflects an uptick in the money lost per incident. According to Crane Hassold, Senior Director of Threat Research at Agari, the average loss per BEC incident in 2017 was $43,000, last year it was $64,000.

The IC3 notes that attacks continue to grow more sophisticated and in particular that it has received an increase in complaints in which victims are being asked to buy gift cards, either via spoofed emails, phone calls, or text messages from someone higher up, like an executive.

This year's report lauds the office's creation of the Recovery Asset Team, or RAT, a division it started last February to aid in the recovery of funds for BEC scam victims. According to the FBI, RAT works as a liaison between law enforcement and financial institutions; in particular the team works with the with the Domestic Financial Fraud Kill Chain (DFFKC), an infrastructure designed to recover large international wire transfers stolen from U.S. bank accounts. The team has been a success; from February to December last year it recovered $192,699,195.72 from losses of $257,096,991.65, a recovery rate of 75 percent.

Another takeaway from the report is that at least by the numbers, ransomware is on the way out. Comparing the 2018 report to the 2017 report, the number of victims of both ransomware and malware attacks were down last year, from 1,783 to 1,394, and 3,089 to 2,811 respectively.

In its place, social engineering-based scams appear to be on the rise. One type - cyber extortion incidents, attacks in which cybercriminals demand money or they'll release sensitive data or cause financial harm to an organization - have become more popular over the last year. The IC3 claims it saw a staggering 242 percent increase in extortion related complaints over the year prior, a figure that translated to adjusted losses of over $83 million last year.

If nothing else, tech support scams have managed to remain consistent too. Tech support scams, almost as old as the internet itself, still manage to con 3.3 million a year out of $1.5 billion, according to a recent Microsoft study. The IC3's numbers are a far cry from those figures but they still illustrate the technique remains popular among hackers. According to the Internet Crime Complaint Center, it received 14,408 complaints last year stemming from tech support scams in 48 countries. The losses totaled $39 million, a 161 percent increase in losses from the year prior.

Payroll diversion scams - attacks in which cybercriminals target employees hoping to phish their login credentials – were also a highlight for the IC3, which fielded 100 complaints that resulted in the loss of $100M, last year.

It’s important to note the numbers should be taken with a grain of salt; the IC3 only looks at incidents that are reported to the center, meaning there's a likely chance there are many incidents missing.

Tags: Email Security

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.