FBI: BEC Losses Soared to $1.8 Billion in 2019

Losses from business email compromise (BEC) attacks soared by hundreds of millions of dollars over the past year, to once again account for half of all cybercrime losses reported to the FBI.

BEC scammers made nearly $1.8 billion in 2019, over half the $3.5 billion total, according to the FBI’s 2019 Internet Crime Report. That’s up from around $1.3bn and a total of $2.7bn in 2018.

A recent evolution in BEC tactics has seen scammers impersonate regular employees rather than C-level execs.

“In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period,” the report explained. “The new direct deposit information generally routes to a pre-paid card account.”

The second biggest earning category of cyber-threat was romance scams, which netted over $475 million, followed by “spoofing” at $300m.

Ransomware was way down in the bottom half of the table with $9m in losses, up significantly from $3.6m in 2018. However, the usual caveats apply that this calculation doesn’t include “lost business, time, wages, files, or equipment, or any third party remediation services acquired by a victim.”

The FBI also admitted that many victims do not report ransomware losses to the Bureau.

When measured according to numbers of reported victims rather than financial losses, phishing (114,702) came top, followed by non-payment/non-delivery (61,8332), and extortion (43,101).

BEC was down in fifth place (23,775) with ransomware even further behind with just 2047 reported cases in 2019 — highlighting the scale of under-reporting.

The FBI also singled out tech support fraud as a growing problem, with some recent complaints involving criminals posing customer support for well-known travel companies, banks and even virtual currency exchanges.

“In 2019, the IC3 received 13,633 complaints related to tech support fraud from victims in 48 countries,” the report said. “The losses amounted to over $54 million, which represents a 40% increase in losses from 2018. The majority of victims reported to be over 60 years of age.”

Total reported cybercrime losses have tripled over the past five years, from just $1.1bn in 2015, amounting cumulatively to $10.2bn for the period.

What’s Hot on Infosecurity Magazine?