FBI reports that over $43 billion stolen through Email compromise from June 2016 until 31 December 2021.
May 9, 2022 |
The Federal Bureau of Investigation (“FBI”) has issued a public service announcement reporting that there were 241,206 domestic and international incidents involving a total loss of $43,312,749,946 arising from what is described as a Business Email Compromise.
A business Email Compromise is defined as:
Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.
The scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets.
Interestingly there was a 65% increase in global losses between July 2019 and December 2021. The FBI concludes that that is due to the COVID restrictions which caused more work and business virtually.
With every scam there needs to be a location for receiving the fraudulently received funds. The FBI concludes that banks located in Thailand and Hong Kong were the primary international destinations of those fraudulent funds. The previously most popular destination China ranked third in 2021 followed by Mexico and Singapore.
The report and associated story is covered in the State of Security story $43 billion stolen through Business Email Compromise since 2016, reports FBI which relevantly provides:
Over US $43 billion has been lost through Business Email Compromise attacks since 2016, according to data released this week by the FBI.
The FBI’s Internet Crime Complaint Center (IC3) issued a public service announcement on May 4 2022, sharing updated statistics on Business Email Compromise (BEC) attacks which use a variety of social engineering and phishing techniques to break into accounts and trick companies into transferring large amounts of money into the hands of criminals.
The report looked at 241,206 incidents reported to law enforcement and banking institutions between June 2016 and December 2021, and says that the combined domestic and international losses incurred amounted to US $43.31 billion.
Worryingly, there has been a 65% increase recorded in identified global losses between July 2019 and December 2021. The report suggests that this increase can be “partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic” with many workers forced to do their jobs remotely.
The rise of interest in cryptocurrency has also been seen in the stats, with an increased number of complaints recorded involving digital funds. For instance, the report notes how scammers have used direct transfer of funds to cryptocurrency exchanges (or a “second hop” transfer to a cryptocurrency exchange) in a seeming attempt to anonymise the movement and ownership of stolen funds.
The FBI offers a number of tips to companies wishing to better protect themselves from Business Email Compromise attacks:
-
- Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business/individual it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
- Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
- Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
Organisations are also advised to immediately contact their financial institution should they believe that they have fallen victim to fraudsters, as it may be possible to request a recall of funds. Regardless of the amount stolen, victims of Business Email Compromise are urged to file their complaint at bec.ic3.gov as soon as possible.
It should always be borne in mind that the figure of $43,312,749,946 is a serious understatement of the true loss to scams. The figures the FBI relies upon is that which is reported to it or other agencies. As with data breaches, many who lose to scammers are reluctant to report those losses.