Business email compromise scams proved costly to victims in 2020
The FBI received more than 19,000 complaints of business email compromises last year, costing victims around $1.8 billion.
In 2020, cybercriminals amped up their attacks by taking advantage of a host of events, from the coronavirus pandemic to remote working and learning to the presidential election and more. Among the many types of cyber crimes affecting organizations and individuals last year, business email compromises and email account compromises proved especially costly. Released Wednesday, the FBI’s “2020 Internet Crime Report” looks at BEC scams and other internet-related crimes and offers suggestions on what to do if you’re a victim.
SEE: Cybersecurity: Let’s get tactical (free PDF)
For the entire year, the FBI’s Internet Crime Complaint Center said it received a record number of complaints from the American public. The total of 791,790 complaints represented a 69% jump from 2019 and served up losses of more than $4.1 billion. Out of these, BEC and EAC schemes were near the top, triggering 19,369 complaints with adjusted losses of around $1.8 billion.
A BEC scam uses social engineering to trick businesses and individuals into turning over confidential information or transferring funds to the attacker’s account.
In the past, these types of crimes usually started with the attacker spoofing the email account of the CEO, CFO or other top executives to request a fund transfer. BEC and EAC scams have since expanded to include such tactics as compromising personal emails or vendor emails, impersonating accounts of attorneys, asking for W-2 information and requesting large amounts of gift cards.
For 2020, the IC3 said it found more BEC/EAC complaints related to identity theft and funds being converted into cryptocurrency. In these instances, the initial victim is usually scammed through other types of tactics, such as extortion plots, romance scams and tech support scams. In all such cases, the victim usually is convinced to provide an ID or personal information to the scammer. That information is used to create a bank account to receive the funds stolen through a BEC scam, which is then transferred to a cryptocurrency account.
“One of the most effective ways that attackers commence a BEC attack is through mobile phishing,” Justin Albrecht, security intelligence engineer at Lookout, told TechRepublic. “Smartphones and tablets don’t have the same security tools and protections as traditional endpoints like desktops and laptops. Many phishing-related mobile malware spread through SMS or other messaging platforms, spamming the contact lists of infected devices.”
For anyone who’s been the victim of a BEC/EAC scam, the FBI offers the following advice:
- Contact the originating financial institution as soon as you discover the fraud to request a recall or reversal and a Hold Harmless Letter or Letter of Indemnity.
- File a detailed complaint with IC3. The complaint must contain all required data in the necessary fields, including banking information.
- Visit IC3 for updated PSAs regarding BEC trends as well as other fraud schemes targeting specific populations, including trends targeting real estate, prepaid cards and W-2s.
- Never make any payment changes without verifying the change with the intended recipient. Confirm that email addresses are accurate when checking email on a mobile device.
“BEC is not getting the attention it deserves,” said Rick Holland, CISO and VP of strategy for Digital Shadows. “With an adjusted loss of approximately $1.8 billion from only reported BECs, this type of crime presents one of the most significant risks to businesses today. At a minimum, this data should be a reminder for business and security leaders to follow the FBI’s guidance should they become victims of BEC. More importantly, however, is to follow cybersecurity best practices and improve employee security training to avoid BEC attacks.”