FBI: Business Email Compromise — a $43B Scam

ATTACK Simulator
4 min readMay 25, 2022

--

FBI: Business Email Compromise - a $43B Scam

A new FBI report warns of a staggering spike in hacking activities using the Business Email Compromise technique (BEC), resulting in losses worth billions of dollars.

Business Email Compromise — a Billion-Dollar Problem

In a new report, the FBI sheds some light on the jaw-dropping global cost of BEC: between June 2016 and December 2021, it reached $43 billion. The agency’s Internet Crime Center (IC3) registered almost a quarter-million complaints during the same period.

BEC Basics

BEC is a cyberattack in which a hacker illicitly obtains access to a business email account and impersonates the rightful owner to trick the company and its employees, customers, or partners, into transferring money to the scammer’s account. The attackers use various social-engineering techniques to compromise the email account.

The FBI also warns of other popular variations, including harvesting Personal Identifiable Information (PII) to carry out further fraud such as tax-related scams and hacking into cryptocurrency wallets.

BEC Spine-Chilling Stats

The IC3 found that BEC victims have been reporting illicit activities from all over the US and 177 countries. In addition, 140 countries received fraudulent transfers, with Thailand and Hong Kong as favorite destinations, alongside China, Mexico, and Singapore.

“Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds,” the FBI said. “China, which ranked in the top two destinations in previous years, ranked third in 2021, followed by Mexico and Singapore.”

However, the US financial losses due to BEC scams rise much higher than those suffered by victims located outside the US: Between October 2013 and December 2021, 116,401 US victims reported total damages of $14.8 billion, while only 5,260 non-US victims reported damages of $1.27 billion.

The agency links the massive spike in BEC scams partly to the pandemic context, when everything shifted to the online space and most companies weren’t 100% prepared cybersecurity-wise for such an overnight change.

“Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars,” IC3 wrote.

“This increase can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually,” IC3 added.

Tips to Protect Your Business Against BEC Attacks

The FBI also provides guidance to help you defend your company against Business Email Compromise attacks:

- Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business/individual it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
- Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
- Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

Last but not least, make sure to provide security awareness training for your employees as a top-list priority.

While conventional security practices such as technological defenses and email filters can be effective, security awareness training for your staff is vital to avoid falling victim to BEC and CEO fraud attacks.

Asides from Business Email Compromise and CEO fraud, there are numerous types of phishing waiting to prey on the perfect unsuspecting employee in your company and launch a devastating attack. Over one billion phishing emails are sent out each day, and many of them bypass security filters. Thus, you need to be able to rely on your employees to stay vigilant and spot phishing scams.

Researching the latest phishing trends and strategies and adequately training your employees can be a hassle, so leave it to professionals.

Here are a few perks of choosing ATTACK Simulator:

- Automated attack simulation — we simulate all kinds of cyberattacks.
- Real-life scenarios — we evaluate users’ vulnerability to give company or pesonal data away using realistic web-pages.
- User behaviour analysis — we gather user data and compile it in extensive reports to give you a detailed picture of your employees’ security awareness level.

- Malicious file replicas — our emails contain malware file repilcas, to make the simulation as realistic as it can be.
- Interactive lessons — if employees fail to recognize our traps and fall into one, they will discover lessons on the best security practices.
- Brand impersonation — we impersonate popular brands to make the phishing simulations all the more realistic.

ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irreparable damage.

Are your employees ready for a phishing attack? Put them to the test with our free security awareness training trial.

Sources:

FBI Business Email Compromise: The $43 Billion Scam

Threatpost FBI: Rise in Business Email-based Attacks is a $43B Headache

BleepingComputer FBI says business email compromise is a $43 billion scam

Attribution:

Feature Image: Photo by Brett Jordan on Unsplash

Spam icons created by Freepik — Flaticon

--

--

ATTACK Simulator

We’re a fresh startup that aims at creating a culture of security in every company by teaching security awareness through automated phishing simulations.