Losses from BEC scams rising fast and furious

In 2017, the victims of BEC fraud were stung for $676 million, almost double the loss totals reported in the previous year

In 2017, the victims of BEC fraud were stung for $676 million, almost double the loss totals reported in the previous year

The FBI’s Internet Crime Complaint Center (IC3) received a record-high 301,000 complaints of internet-facilitated fraud and other cybercrimes in 2017, with reported losses adding up to $1.42 billion. Pegged at over $676 million, loss totals stemming from Business Email Compromise (BEC) and from its variation known as Email Account Compromise (EAC) accounted for nearly half of the aggregate, according to the center’s 2017 Internet Crime Report.

With 298,000 complaints and $1.45 billion in losses reported in 2016, the latest figures represent a slight uptick in the number of reported crimes and a downtick in aggregate losses.

Importantly, however, it’s well known that many crimes go unreported, so the actual figures are likely to be much higher. The IC3’s 2016 report itself noted that only an estimated 15 percent of scam victims in the United States report their crimes to law enforcement.

The three types of crime most frequently reported by victims in 2017 were non-payment/non-delivery, personal data breach, and social engineering fraud such as phishing, vishing, smishing, and pharming.

Meanwhile, confidence/romance fraud and non-payment/non-delivery were a distant second and third, respectively, in terms of the highest reported loss after BEC/EAC.

Online crimes responsible for the greatest financial loss totals (source: IC3, 2017 Internet Crime Report)

What’s trending?

The report singles out BEC/EAC, tech support fraud, ransomware, and extortion as “hot topics” for 2017.

The IC3 registered 15,690 complaints related to BEC/EAC in 2017, up from 12,000 in the previous year. The reported losses, of more than $676 million as mentioned earlier, have been rising significantly for years now – from $360 million in 2016, $246 million in 2015, and $226 million in 2014. Last year, the IC3 received an increasing number of reports from victims who had lost money in real estate transactions.

In a typical BEC scam, a criminal dupes a company’s finance department into carrying out an unauthorized transfer of funds. Importantly, the target must be fooled into believing that the request has come from an executive within the company or from an outside firm that does business with it, so the scam involves a measure of social engineering, email spoofing, or computer intrusion. Unlike BEC, which takes aim at businesses, EAC fraud targets individuals.

According to the FBI, however, the scam has recently evolved in that attackers are increasingly moving beyond money, setting their sights on the targets’ Personally Identifiable Information (PII) and tax statements instead.

Similarly, losses from tech support scams, in which criminals hoodwink victims into providing them with remote access to their computers, also soared last year (by 90%), totaling $15 million from nearly 11,000 such cases reported to the FBI. The fraud comes in many flavors, but some recent cases involve crooks posing as “technical support representatives for income tax assistance, GPS, printer, or cable companies, or support for virtual currency exchanges”. Also, criminals sometimes act as government agents who offer help with recovering losses from – you guessed it – tech support fraud.

By contrast, losses from ransomware attacks dropped – from $2.4 million to $2.3 million last year. And so did the number of complaints – from 2,600 to 1,800. The findings are in contrast, for example, to the trend spotted in Verizon’s latest Data Breach Investigations Report (DBIR), which found that ransomware attacks worldwide had doubled in 2017, itself a year known for two major ransomware outbreaks. The fact that ransomware registered so low in the IC3’s report indicates that many victims don’t report the attacks.

Meanwhile, losses caused by close to 15,000 reported cases of extortion schemes cost the victims almost $15 million. In these scams, attackers demand a fee on pain of, for example, hitting the target with DDoS attacks, releasing sensitive materials (sextortion), or putting a hit on them.

“As cyber criminals become more sophisticated in their efforts to target victims, we must continue to transform and develop in order to address the persistent and evolving cyber threats we face,” said Scott S. Smith, Assistant Director of the FBI’s Cyber Division, in the report.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center