$55.5 Billion Losses Reported from BEC Attacks

The Federal Bureau of Investigation (FBI) published an alert to businesses concerning the growing threat of Business Email Compromise (BEC) attacks, which have caused global losses of about $55.5 billion in the last decade. BEC scams are sophisticated cyberattacks that target organizations and individuals, particularly those involved in handling sensitive financial transactions. The goal of these attacks is to deceive victims into making fraudulent wire transfers to attacker-controlled accounts, resulting in financial loss.

BEC scams typically begin with phishing attempts or social engineering tactics that allow cybercriminals to breach email accounts. Attackers may use stolen credentials or computer intrusions to gain access. After gaining access to an email account, the hacker searches through the inbox to gather information that can be exploited. Often, the attacker monitors ongoing communications and takes over conversations by impersonating the email account owner mimicking the writing style and tone to make their fraudulent requests appear genuine.

In many BEC attacks, C-suite executives like the CEO, CFO, or other high-ranking members of an organization are impersonated. The cybercriminals send urgent-sounding requests to employees in the finance department, directing them to wire money to accounts under the attacker’s control. These fraudulent requests often involve wire transfers to banks in countries such as China, Hong Kong, the United Kingdom, Mexico, and the UAE, although domestic accounts can also be targeted. Once the money is transferred, it is quickly moved to other financial institutions, making it difficult, if not impossible, to recover the funds if the scam isn’t discovered immediately.

As per the FBI’s Internet Crime Complaint Center (IC3), from October 2013 to December 2023, over 305,000 BEC incidents were reported globally, amounting to $55.5 billion in losses. In the United States, 158,436 victims suffered over $20 billion in losses. These figures likely underrepresent the true scope of the issue, as many BEC scams are unreported.

BEC attacks affect organizations of different sizes, including small businesses and big companies, and the frequency of these attacks has continued to rise. From December 2022 to December 2023, the FBI reported a 9% increase in global BEC losses. In 2023, there was also an uptick in BEC attacks where stolen funds were transmitted into financial institutions running custodial accounts used by third-party payment processors or cryptocurrency exchanges. This shift in attack methods contributed to the overall increase in losses during that period.

To combat the growing threat of BEC scams, the FBI has offered the following recommendations for improving defenses:

1. Use unique, complex passwords or passphrases for all email accounts and change them regularly.
2. Implement multifactor authentication (MFA) on accounts.
3. Use spam filtering and anti-phishing solutions to help block attempts to compromise email accounts at the initial stages of an attack.
4. Provide HIPAA training on security awareness training to help employees recognize and respond to scams.
5. Verify URLs and hyperlinks. Check if the URL in the email matches the business or individual it claims to represent and check for misspellings.
6. Email accounts should be configured with full extensions so it is easier to identify suspicious or spoofed email addresses.
7. To prevent fraudulent financial transfers, use two-factor authentication to validate requests for changing account information or new transfer requests.
8. Evaluate financial accounts to identify irregularities, such as unauthorized transfers or missing deposits.

In cases where fraudulent wire transfers are discovered, the FBI advises contacting the financial institution immediately to freeze the funds. The scam should be reported to the FBI’s IC3 to get help in recovering the stolen funds.