FBI: Rise in Business Email-based Attacks is a $43B Headache

A huge spike in fraudulent activities related to attacks leveraging business email accounts is a billion-dollar-problem.

The FBI warned the global cost of business email compromise (BEC) attacks is $43 billion for the time period of June 2016 and December 2021. According to FBI report, 241,206 complaints were lodged by the agency’s Internet Crime Center (IC3).

BEC or email account compromise (EAC) are an advanced scamming technique that targets both employees and business and the businesses they work for.

Scam include social engineering as a means to compromise a legitimate business or personal email account or to perform an unauthorized transfer of funds. The FBI is also warning that another popular variations of the scam include collecting Personal Identifiable Information (PII) in order to perpetrate additional fraud such as tax-related scams and breaching cryptocurrency wallets.

Infosec Insiders Newsletter

Statistics of BEC/EAC Scams 

According to IC3, the BEC scam victims have been reported in all 50 states of the US and 177 countries. Additionally, 140 countries received fraudulent transfers.

The IC3 revealed that banks located in Thailand and Hong Kong were the primary destination for fraudulent funds, followed by China, Mexico, and Singapore.

In the public service announcement by IC3, the losses recorded in the US are much larger in comparison to non-US victims. Between October 2013 and December 2021, a total of 116,401 US victims reported a total loss of $14.8 billion, whereas in the same period 5,260 non-US citizens reported losses of $1.27 billion.

The FBI believes that a 65 percent spike in BEC scams between July 2019 and December 2021 could be partly caused by the pandemic as there were restrictions placed on normal business activities and everything shifted to virtual mode.

“Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars,” IC3 reported.

“This increase can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually,” IC3 added.

BEC Fraud Related to Cryptocurrency

The IC3 mentioned in the public service announcement that they have received an increased number of BEC complaints involving cryptocurrency.

The cryptocurrency which is a virtual asset that uses cryptographic algorithms to secure financial transactions is now turned into a $3 trillion market cap in November 2021.

The degree of anonymity associated with cryptocurrency is popular among illicit threat actors and derives them to conduct crypto-related fraud.

The IC3 reported two different variations of the BEC scam involving cryptocurrency. The first one is the Direct Transfer to a cryptocurrency exchange (CE), which is similar to the traditional BEC fraud. Another one involves the ‘second hop’ for cryptocurrency exchange.

In the second hop transfer, victims are tricked to provide the identifying information such as a License or passport, an attacker uses this information to open a cryptocurrency wallet in the victims’ name. Generally, threat actors use other cyber-enabled scams (Extortion, Tech Support, and Romance Scams) to allure the victim.

According to IC3, The usage of crypto-currency was regularly reported to them but it was not identified as a ‘BEC-specific’ crime until 2018. In 2019 the reports increased and IC3 received reports of $10 million in losses from cryptocurrency by 2020. In 2021, the crypto-currency-related losses surges to $40 million.

Suggestions and Recommendations 

  • Use two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Avoid supplying credentials or any other personally identifiable information (PII) via email.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
  • Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
  • Regularly monitors the financial account for irregularities.

Suggested articles