Business email compromise (BEC) scams are squeezing more money than ever out of victims, with losses from the attacks almost doubling year-over-year in 2018 to reach $1.2 billion.
That’s according to the FBI’s annual Internet Crime Report (IC3) for 2018, which records the number of complaints, losses and trending scams. Of all the scams reported, BEC, where attackers use social engineering and other tricks to persuade businesses into transferring wire payments to them, led the charge in terms of sucking the most money from victims: The FBI said that in 2018, BEC scams ultimately drained victims of over $1.2 billion. For contrast, in 2017, BEC resulted in adjusted losses of $675 million.
Other scams, such as extortion, tech support fraud and payroll diversion continued to increase in both scale and reported losses as well. Overall, in 2018 the FBI received a total of 351,936 scam complaints with losses exceeding $2.7 billion – up from the $1.4 billion in losses recorded in the 2017 report.
BEC in particular is growing more insidious as attackers change up their techniques and tactics, according to the FBI: “BEC and [email account compromise] EAC are constantly evolving as scammers become more sophisticated,” according to the FBI’s report, released Tuesday. “Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information and the targeting of the real-estate sector.”
Specifically, this year, the FBI pointed out that it received an increase complaints in gift card-related BEC scams.
“The victims received a spoofed email, a spoofed phone call or a spoofed text from a person in authority requesting the victim purchase multiple gift cards for either personal or business reasons,” according to the report.
Ronnie Tokazowski, senior threat researcher at Agari, told Threatpost that he has seen gift card-related BEC scams gain traction due to the lucrative profits that attackers can gain.
“For trends that we’re seeing, actors have been asking for gift cards instead of wire fraud, but still engage with wire fraud as well,” he told Threatpost. “For gift cards, once they have the pictures of the cards from the victims, they sell the cards on gift card exchanges where they can sell the cards to bitcoin. Actors usually get around 70 percent of the face value of the card in bitcoin.”
The FBI said it faced several high-profile cases as a result of seemingly simple BEC scams – for instance, it received a complaint from a town in New Jersey that fell victim of a BEC scam — and transferred over $1 million to a fraudulent account (the FBI was able to freeze the funds and return the money to the town). In another case, a BEC victim received a email purporting to be from their closing agent during a real-estate transaction — resulting in the person initiating a wire transfer of $50,000 to a fraudster’s bank account located in New York.
That’s also despite an FBI crackdown (dubbed Operation WireWire) on scammers behind several BEC campaigns in June 2018, which resulted in 74 arrests and the retrieval of millions of dollars.
“The biggest take away from the report is that BEC is on the rise with losses doubling over the last year, and actors are starting to figure out that they don’t need to create a sophisticated piece of malware in order to make a dollar,” said Tokazowski. “While ransomware and other malware attacks often capture headlines, it’s clear that BEC related fraud, including romance scams, causes much more damage year after year.”
Other Insidious Scams
Behind BEC, romance scams resulted in the second-highest amount of losses for victims, totaling more than $362 million.
These types of scams happen when an attacker tricks the victim into believing that they have a trust relationship (which could be familial, friendly or romantic) – and then persuades the victim into sending money or financial information to them.
Another high-loss crime included payroll diversion, where cybercriminals target employees with phishing emails and capture their login credentials – and then log into their account and change their direct deposit information to redirect their payroll into their own account.
For payroll diversion, the FBI said it received only around 100 complaints – but those reports resulted in a combined reported loss of a whopping $100 million.
In terms of the types of scams with the most complaints, the FBI said that “non-payment” (where in an online transaction, goods are shipped but a payment is never made; or vice versa), extortion and personal data breaches (a spill of personal data released from a secure location to an untrusted environment) were the most-reported types of scams.
Other types of crimes that skyrocketed last year include tech-support fraud, which saw a 161 percent increase in losses compared to 2017; and extortion, which saw a 242 increase in losses compared to 2017.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.