FBI: US companies lost $1.3 billion in 2018 due to BEC scams

Ransomware complaints are on the decline, but losses are higher than ever.

FBI: BEC scams cost $1.3 billion to US firms Ransomware complaints are on the decline, but losses are higher than ever.

Losses due to BEC (Business Email Compromise) scams have doubled in 2018, compared to 2017 figures, and have reached a whopping $1.3 billion, according to the yearly FBI internet crime report.

On the other hand, the number of ransomware victim complaints has gone down to 2014 levels, when ransomware attacks first started to become popular across the world; however, financial losses caused by ransomware attacks are now higher than ever, suggesting that crooks are now carefully selecting their victims in order to inflict the greatest damage and obtain the highest payouts.

The BEC scourge

But according to the FBI, by far, the biggest problem for US companies in 2018 were BEC scams, also known as EAC (Email Account Compromise).

BEC/EAC is a sophisticated scam targeting both businesses and individuals performing wire transfer payments.

These scams rely on hackers compromising a legitimate email account, which they use to send out emails to trick employees at the same company or upstream/downstream business partners to wire funds into their accounts, using fake invoices or business contracts.

The term BEC is also used in situations where crooks don't necessarily hack into an employee's email account, but merely spoof a business partner's identity, and use employee's lack of attention to trick them into paying for fake or legitimate contracts to the wrong bank accounts.

As the table below shows, complaints and losses from BEC scams have exploded in recent years, with 2018 passing the one billion mark in terms of damages --marking the first time a form of cybercrime has caused damages of more than $1 billion.

Year
2014
2015
2016
2017
2018
Complaints
1,495
7,837
12,005
15,690
20,373
Losses
$60,294,162
$246,226,016
$138,228,282
$676,151,185 $1,297,803,489

Losses from BEC scams are expected to go even higher in the coming years. This is because BEC scams require little technical skills to carry out, and are also notoriously difficult to detect, as most emails tend to come from (compromised) legitimate accounts, which victims tend to trust.

Ransomware's downfall --or maybe not

But the 2018 Internet Crime Report released yesterday by the FBI's Internet Crime Complaint Center (IC3) also contains another important nugget of information.

It confirms several reports from the cyber-security industry, which for the last year has claimed that most ransomware mass-distribution campaigns have wounded down, and that criminal groups have either moved on to other endeavors (illicit cryptocurrency mining) or switched to targeting only a small number of high-value victims (a tactic known as big-game hunting ransomware).

The FBI internet crime report shows that the age of ransomware mass distribution campaigns has reached its peak in 2015-2016 and is now on the decline, with fewer and fewer victims reporting infections.

Year
2013
2014
2015
2016
2017
2018
Complaints
991 1,402 2,453
2,673
1,783
1,493
Losses
$539,562
$490,577
$1,620,814
$2,431,261
$2,344,365
$3,621,857

But "decline" is probably the wrong word, as even if the number of user complaints has gone down, the losses have actually gone up.

As mentioned before, this is because cyber-criminal groups have adjusted from targeting lowly end users, who can't afford to pay more than $500-$1,000 per ransom, to targeting large companies and government organizations, which will sometimes pay millions of US dollars to regain access to some of their most sensitive business documents.

Tech support scams, email extortion, and payroll diversion

But besides ransomware's downfall and the rise of BEC scams, the FBI also warns that tech support scams are again on the rise, with this type of cybercrime seeing a 161 percent increase in user-reported losses in 2018.

Other threats that saw similar spikes in activity in 2018 include payroll diversion schemes and email-based extortion schemes --and especially sextortion schemes.

Payroll diversion schemes have caused losses of over $100 million, while email extortion attacks have seen a 262 percent rise in complaints and have caused damages of over $82 million.

Additional details and statistics are available in the FBI's 2018 internet crime report, here.

More cybersecurity coverage: