FBI: Email fraud keeps getting worse. Here's how to protect yourself

Business email fraud just keeps getting worse for victims and cryptocurrency transfers have exploded.

How hackers abuse tools you trust to snoop around your network

The FBI has warned that business email compromise (BEC) fraud cost businesses around the world $43 billion in losses during the period between June 2016 and December 2021. 

The FBI's Internet Crime Center (IC3) logged a whopping 241,206 complaints in the four-and-a-half-year period, with losses totaling $43 billion, according to a new public service announcement

BEC fraud was the biggest category of cybercrime by financial losses in 2021, according to IC3. BEC cost businesses $2.4 billion in 2021, up from $1.8 billion in 2020

SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attempts

US losses recorded by the FBI are much larger than losses reported by victims in non-US jurisdictions. Between October 2013 and December 2021, 116,401 victims reported total losses of $14.8 billion. In that period, 5,260 non-US victims reported losses of $1.27 billion.       

BEC is a global problem. The scam has been reported in all 50 US states and by victims in 177 countries. Meanwhile, over 140 countries have received fraudulent transfers, according to IC3. However, banks located in Thailand and Hong Kong were the primary destination for the funds, followed by China, Mexico and Singapore. 

BEC scams are considered a sophisticated ruse that targets business and individuals who are duped into transferring funds to the scammer's account under the belief they are performing a legitimate transaction. 

The FBI believes the pandemic and the shift to everything online spurred a 65% growth in BEC fraud losses between July 2019 and December 2021.

"Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars," IC3 notes. 

"This increase can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually."

It also reports an uptick in complaints involving cryptocurrency transfers. 

The value of cryptocurrency today had a market cap of $3 trillion in November, up from just $14 billion five years ago, the US secretary of the Treasury recently noted.

SEE: The Emotet botnet is back, and it has some new tricks to spread malware

The two main forms of BEC involving cryptocurrency were direct transfers, just like traditional BEC fraud, while the second involved a "second hop", usually to a cryptocurrency exchange. In both situations, the victim is unaware that the funds are being sent to be converted to a cryptocurrency, says IC3. 

Second hop transfers often involves tricking the victim into providing identity documents, such as a drivers license or passport, which the attacker uses to open cryptocurrency wallets in the victim's name. In 2020, IC3 received reports of $10 million in losses from victims involving cryptocurrency. By 2021, the value of cryptocurrency-related losses ballooned to $40 million. 

FBI advice for protecting yourself includes:

  • Use two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business or individual it claims to be from.
  • Be alert to fake hyperlinks that may contain misspellings of the actual domain name.
  • Avoid supplying login credentials or personal information via email. 
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
  • Ensure the settings in employees' computers allow full email extensions to be viewed.
  • Monitor your personal financial accounts on a regular basis for irregularities.
Show Comments