Ransomware has become a significant threat for enterprises and government agencies, but when it comes to financial losses, business email compromise (BEC) is doing far more damage, according to new statistics released by the FBI.
The bureau’s Internet Crime Complaint Center (IC3) gathers data each year on the number of complaints and losses from various types of scams and threats, and the 2019 Internet Crime Report shows that losses from BEC reached more than $1.7 billion in 2019. That figure is far and away the largest for any category of loss in the report, far outstripping phishing at $57 million and ransomware at nearly $9 million in losses. Last year, the IC3 received more than 23,000 complaints about BEC and email account compromise (EAC) scams.
BEC is a relatively new type of online scam and it has been gathering momentum in the criminal world in the last couple of years. The basic premise is quite simple, and usually involves a scammer sending an email to someone with financial authority inside a target organization, such as a finance manager. The email may purport to come from a company that the target organization has an established relationship with, such as a supplier or partner, and will request an urgent wire transfer or other payment. In some cases the scammers will impersonate an executive inside the target company itself, lending an even higher level of authority to the message.
While simple in concept, BEC scams can be incredibly damaging to a victim organization. Some companies have lost tens of millions of dollars to BEC scammers, and the FBI has established a new team to help victims respond to scams and recover lost money. The Recovery Asset Team (RAT) works with victims, FBI field offices, and financial institutions to identify fraudulent activity, freeze suspect funds and return them to the victims. The team was quite successful in 2019, recovering more than $300 million in funds lost in 1,300 incidents. The RAT is part of a larger group established last year called the Recovery and Investigative Development Team (RaID) that also focuses on taking apart money mule organizations.
“RaID enhances investigations by monitoring new activity and notifying law enforcement of time sensitive situations. The team often plays a significant role in uncovering additional victims and criminals involved in fraudulent activity. RaID works as a liaison between financial and law enforcement investigators to facilitate information sharing necessary to support open case work and assist in any required legal process to stop the flow of fraudulent funds,” the IC3 report says.
Context is important in looking at the relative losses for threats such as BEC and ransomware. Losses in BEC incidents tend to be much higher than ransomware attacks, as ransomware actors often demand payments in the low tens of thousands of dollars, while an individual BEC incident can result in a loss of several million dollars. Also, the IC3 report only includes data for complaints that come directly to the IC3 itself and not through FBI field offices, so any company that reports a ransomware infection to its local office is excluded. The loss figure also does not take into account money spent on investigation, remediation, lost business, or damaged machines.
“In some cases victims do not report any loss amount to the FBI, thereby creating an artificially low overall ransomware loss rate,” the report notes.