Losses emanating from Business Email Compromise (BEC) and Email Account Compromise (EAC) scams reached nearly US$1.3 billion in 2018, which was nearly double the amount (US$675 million) lost in the year before, according to the annual Internet Crime Report (ICR) by the United States’ Federal Bureau of Investigation (FBI).

The figure is based on over 20,300 BEC/EAC scam reports that the FBI’s Internet Crime Complaint Center (IC3) dealt with last year, which itself was up from 15,700 reports in 2017. The losses due to this kind of fraud have been growing at a rapid clip in recent years, having doubled also between 2016 and 2017.

Aggregate losses caused by internet-enabled theft, fraud, and exploitation also doubled last year – from US$1.42 billion in 2017 to US$2.7 billion in 2018. Much like in 2017, BEC/EAC scams accounted for almost one-half of the loss totals last year. Confidence/romance fraud and investment scams were a distant second and third, respectively, in 2018.

On the good news front, the IC3 credited its Recovery Asset Team (RAT) with successfully recovering US$191 million lost in BEC scams since the team was set up specifically for this purpose in February 2018. The RAT dealt with 1,061 incidents that caused losses worth more than US$257 million, giving it a recovery rate of 75%.

Here’s a quick refresher: A typical BEC scam involves a criminal duping a company’s finance department into carrying out a wire transfer payment. Importantly, the target must be fooled into believing that the request has come from an executive within the company or from an outside firm that does business with it, so the scam involves a measure of social engineering, email spoofing, or computer intrusion. Unlike BEC, which takes aim at businesses, EAC fraud targets individuals.

Online crimes responsible for the greatest financial loss totals (source: IC3, 2018 Internet Crime Report)

Beyond BEC

Overall, the IC3 received over 351,000 reports of Internet-enabled theft, fraud, and exploitation last year, which was up from 301,000 in the year before. That said, it is safe to say that far more crimes go unreported, so the actual figures are likely to be much higher.

Either way, the most-reported type of crime was the non-payment/non-delivery scam, followed by extortion. The number of complaints about extortion-related fraud – where attackers demand money on pain of releasing sensitive materials, hitting the target with DDoS attacks, or putting a hit on them – surged by 242% annually.

Meanwhile, the number of reported ransomware victims actually fell from just under 1,800 in 2017 to 1,500 last year, but the losses rose significantly – from US$2.3 million to US$3.6 million, without even considering other costs such as lost businesses, productivity, etc. Again, this only includes cases that were reported to the IC3.