Businesses in the United States lost more than $246 million to business email compromise attacks in 2015, dwarfing the losses to any other kind of attack, including phishing, vishing, ransomware, and credit card fraud.
BEC scams involve a twist on the typical phishing emails, and aim to trick executives or finance employees who have authority over a company’s money. The emails are designed to fool the victim into transferring large sums of money–often tens or hundreds of thousands of dollars–to accounts controlled by the criminals. The messages typically look like they come from the CEO or CFO of the target company and often have spoofed email addresses, headers, and all of the signature and other details an authentic email would have. Many times, the emails will ask the victim to transfer money as part of some new acquisition or supplier relationship, which doesn’t exist.
In its annual Internet Crime Report, released Tuesday, the FBI said it had received more than 7,800 complaints about BEC scams in 2015, with total reported losses of $246 million. By contrast, there were nearly 22,000 complaints about identity theft, with total reported losses of $57 million. Credit card fraud losses totaled $41 million, and corporate data breach losses hit almost $39 million in 2015.
“The IC3 began receiving complaints describing BEC scams in 2010. Victims at the time identified themselves as United States–based businesses which had long-term working relationships with Asian suppliers. Victims were instructed through spoofed emails, intercepted facsimiles, or telephone communications to redirect invoice remittance payments,” the FBI said in its report.
“Fraudulent transfers have gone through accounts in many countries, with a large majority traveling through Asia. The scam began to evolve in 2013 when victims indicated the email accounts of Chief Executive Officers or Chief Financial Officers of targeted businesses were hacked or spoofed, and wire payments were requested to be sent to fraudulent locations.”
The bureau said BEC schemes have evolved in the last year to now include emails from criminals posing as lawyers, asking them to make immediate wire transfers for time-sensitive transactions. The FBI has been warning businesses about BEC scams for the last year or so, and another of the major threats the bureau has issued warnings about, ransomware, plays a major part in this year’s report. Although ransomware has grabbed a huge number of headlines for the last few years, the amount of money victims have lost to the scam doesn’t stack up to the losses to BEC or credit card fraud.
The total losses for ransomware were $1.6 million in 2015, a fraction of some of the larger categories, mainly because the amount lost by each victim is much lower than a BEC victim, for example. Ransomware typically demands payments of $75 or so on the low end and about $200 on the high end. BEC victims often lose several thousands times those amounts.
The FBI combines phishing, vishing, SMS phishing, and pharming into one broad category of crime, and said those all totaled $8.1 million in losses last year.