Business Email Compromise Inflicts $1.7 Billion in Losses in US in 2019

The FBI’s Internet Crime Complaint Center (IC3) has compiled all complaints registered in 2019, and the reported losses exceed $3.5 billion, with Business Email Compromise (BEC) and Email Account Compromise (EAC) accounting for $1.7 billion.

Unlike better-known crimes such as credit card fraud, ransomware and phishing, BEC and EAC don’t seem all that glamorous. On the other hand, these two methods alone were used to defraud companies and people of $1.7 billion last year.

Let’s analyze BEC in more detail. Let’s imagine the victim is working in the financial department, possibly even the chief financial officer. Attackers send an email, spoofed to look just like hundreds of similar emails sent to the department, and ask for a payment to a specific account.

The CFO is not suspicious, even if the sum is bigger than usual. The payment is made, and the money is lost forever. EAC works pretty much the same way, with only one difference; the email account used isn’t spoofed, and attacks use a compromised but real address. Unfortunately, this is only one scenario and bad actors are always on the lookout to diversify their attacks.

“Over the years, the scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards,” explains the FBI in their report.

The data compiled by the FBI’s IC3 underlines just how prolific this method really is. With $1,776,549,688 in losses, BEC/EAC is by far the biggest problem. Credit card fraud accounts for $111 million and terrorism takes last place with a victim loss of almost $50,000.

If we look at the victim count, things are a little different, with phishing affecting around 114,000 people. BEC/EAC is still pretty high up in this ranking, accounting for almost 24,000 victims.

It’s easy to think that BEC/EAC is almost a victimless crime, with companies taking the brunt of the assault. The statistics from the real world paint an entirely different picture.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Silviu STAHIE. Read the original post at: