Businesses were hit hardest by inbox-based scams in 2015 that robbed U.S. companies of $263 million. The numbers come from the FBI’s recently released 2015 Internet Crime Report that tallies the types of cybercrimes hitting U.S. business and individuals the hardest. According to the FBI, its Internet Crime Complaint Center (IC3) received 288,012 complaints last year with total losses of $1.07 billion.
By a longshot, Business Email Compromise (BEC) crimes overshadow all other types of crimes looked at by the FBI in 2015. Classified as BEC, these crimes encompass business hit by inbox-based financially motivated scams based on social engineering and computer intrusion techniques resulting in financial loss via unauthorized transfers of funds.
“Victims were instructed through spoofed emails, intercepted facsimiles, or telephone communications to redirect invoice remittance payments,” read the report (PDF). In 2015, the IC3 received 7,838 BEC complaints with losses of over $263 million, the FBI reported.
Security experts say these types of cybercrimes are hard to protect against when it comes to a cyber defenses. “With BEC attacks there is no malware involved. You are exploiting human trust and business processes that involve email,” said Ryan Kalember, SVP cybersecurity strategy at the security firm Proofpoint.
According to the FBI criminals most often targeted businesses with foreign suppliers or satellite offices that regularly had money wired to them. Typical, these type of BEC thefts involved the compromising of genuine business email accounts via social engineering or some type of unspecified computer intrusion technique, according the report.
“Fraudulent transfers have gone through accounts in many countries, with a large majority traveling through Asia,” according to the report. Most often companies tell the FBI it was the email accounts of the company’s CEO or CFO that was “hacked or spoofed, and wire payments were requested to be sent to fraudulent locations.”
Those trends jive with what Digital Shadows CEO, Alastair Paterson. He says his firm is seeing elaborate and sophisticate ruses that involve CEOs, CFOs, COOs, HR departments and accounting. “Attacks are become more sophisticated involving criminals going so far as monitoring a CEO’s social media feed to best time and color a fake request for a wire transfer,” Paterson said.
“In 2015, victims reported being contacted by subjects posing as lawyers or law firms instructing them to make secret or time sensitive wire transfers,” according to the IC3 report.
Spoofing an email from a CEO is an interesting tactic, said Patrick Wardle, director of research at security firm Synack. “It preys on another human weakness — employees are less likely to question an email or request from the CEO,” Wardle said. As computers become more difficult to hack with anti-exploitation mitigations and networks become more locked down, the human link is often a soft spot easily targeted by attackers, he said.
States losing the most to Business Email Compromise attacks were California ($64.5M in losses), New York ($23M.5 in losses) and Florida ($19.6M in losses). But comparing the cost of BEC crimes to the aggregate cost of other crimes, it wasn’t the states with the biggest dollar figure losses that were hit the hardest. For example, BEC crimes represented 47 percent of all losses to cyber-crime in South Carolina in 2015. That was followed by Nebraska (45 percent), Michigan (43 percent) and New York (41 percent).
The other category looked at by the FBI for this report were ransomware and incidents of Email Account Compromises, where the attack focuses on individuals or professionals (not businesses).
Personal data breach losses hit almost $43 million in 2015 based on about 20,000 complaints. By contrast, there were nearly 2,500 complaints about corporate data breaches, with total reported losses of $39 million. Identity theft losses totaled $57 million, and bogus investment scam losses reached $119 million in 2015.
Exploit-related losses to victims included $1.6 million tied to 2,453 ransomware complaints. Phishing and related email scams to individuals added up to $8 million in losses and malware/scareware losses to individuals totaled $3 million. Lastly, virus losses totaled $1.2 million and DoS attacks were attributed to just under $3 million, according to the FBI’s 2015 Internet Crime Report.
Proofpoint’s Kalember said the biggest shift he has seen between 2015 and cybercrime trends taking shape in 2016 are around ransomware. In 2015 ransomware represented three percent of sample infected emails. Five months into 2016, ransomware already represents 30 percent of samples, he said.