The FBI has warned that fraudsters have tried to steal over $43bn via business email compromise (BEC) attacks over the past six years, with Asian banks the primary recipients of stolen funds.
The scam has grown significantly over that time, to impact not only large enterprises but also SMBs and even personal transactions, the Bureau claimed.
The $43.3bn figure was derived from crime reports to the FBI, law enforcement data and filings with financial institutions. It includes real losses and attempted heists and rose particularly fast over the course of the pandemic.
“Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars,” the FBI said in a Public Service Announcement (PSA).
“This increase can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually.”
The FBI stats contain reports from inside the US, where scams have been reported in all 50 states, and 177 countries worldwide.
Although 140 countries have received stolen funds, banks in Thailand and Hong Kong were the most common destinations last year. China came in third, followed by Mexico and Singapore.
This matters because while the FBI has a fairly good success rate (74%) in recovering funds lost to BEC, this is only in cases where domestic banks are used for the money transfers.
Stolen funds are increasingly converted into cryptocurrency to improve money laundering efforts. Often, the threat actor opens these cryptocurrency wallets using stolen identities. Some $40m in exposed losses were identified this way last year.
Other variations on the BEC theme involve not fund transfers but requesting employees’ personally identifiable information or wage and tax statement (W-2) forms, the FBI claimed.
BEC losses hit $2.4bn last year, around one-third of total cybercrime losses.