Business Email Compromise Losses Top $12B, FBI Warns

The FBI has revised its figure for the total amount of financial losses from business email compromise attacks, as real estate-related scams grow.

BEC Email Scam

Among the most impactful cyber-attacks is business email compromise (BEC), where criminals trick unsuspecting organizations into paying fraudulent invoices.

The FBI has calculated the estimated impact of BEC attacks that it is aware of and has determined that between October 2013 and May 2018, there has been $12.5 billion in global losses. During that period, the FBI has estimated that approximately $2.9 billion has been stolen from U.S victims.

The new figures represent a significant rise from the figures that the FBI reported in 2017, when the agency reported that total BEC financial losses were approximately $5.3 billion.

"Between December 2016 and May 2018, there was a 136 percent increase in identified global exposed losses," the FBI warned in a media release.

Among the fastest growing areas for BEC fraud are real estate-related attacks. According to the FBI, there was a 1,100 percent rise in the number of reported BEC incidents in the real estate sector from 2015 to 2017. During the same period, the FBI reported a 2,200 percent increase in BEC losses in the real estate industry.

"Victims most often report a spoofed e-mail being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account," the FBI warned.

The FBI and its Internet Crime Center (IC3) division have been warning of the continued rise in BEC attacks over the past year. In a report released on May 9, IC3 reported that it received 15,690 BEC complaints in 2017, with losses of $675 million, up from 12,005 complaints and losses of $360 million in 2016.

The FBI isn't the only organization seeing an increase in BEC and email fraud attacks. Security firm Proofpoint reported that in the first quarter of 2018, it has seen email fraud attacks rise by 103 percent year-over-year. On Feb. 21, IBM reported that its X-Force Incident Response and Intelligence Services (IRIS) unit discovered a BEC attack that was responsible for approximately $5 million in losses.

Law Enforcement Actions

Law enforcement is not sitting idly by while BEC fraudsters attack victims. On June 11, the U.S. Department of Justice announced that law enforcement officials arrested 74 individuals around the world as part of Operation "Wire Wire," which is an effort to disrupt BEC activities.

"Fraudsters can rob people of their life's savings in a matter of minutes," Attorney General Jeff Sessions stated in a media advisory on operation Wire Wire. "These are malicious and morally repugnant crimes."

How to Limit BEC Risks

There are multiple steps that organizations and individuals can take to limit the risks of being a BEC scam victim. 

Securing email delivery including enforcing multifactor authentication on access is a first step. Technology approaches such as Domain-Based Message Authentication (DMARC) can also be effective in helping to verify the integrity of email senders. Plus, the FBI is warning organizations to be mindful of phone conversations as some BEC attacks start with a fraudulent phone call with attackers requesting personal information for financial verification purposes.

"Some victims report they were unable to distinguish the fraudulent phone conversation from legitimate conversations," the FBI stated. "One way to counteract this fraudulent activity is to establish code phrases that would only be known to the two legitimate parties."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.