$1.77 Billion in Losses Due to Business Email Compromise Attacks

The 2019 Internet Crime Report of the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) was just released. It reveals that cybercrime losses in 2019 maxed $3.5 billion. IC3 got nearly 1,300 per day or 467,361 online and cybercrime complaints.

Above 50% of the losses were caused by business email compromise (BEC) attacks, otherwise called email account compromise (EAC). These attacks entail the impersonation of an authorized person or business to acquire finances by means of email.

These complex tricks usually start off with a phishing attack on a manager to acquire email login credentials. The hacker then uses the email account to send a request a wire transfer from somebody in the business with access to the company’s bank accounts. From time to time, the hacker skips this action and merely spoof somebody’s email account.

Though BEC attacks typically call for wire transfer demands, the attacks on HR and payroll divisions to reroute the employee salaries funds to the attacker’s bank accounts increased in 2019. The probable revenue from this kind of attack is smaller than a wire transfer request, nevertheless, alterations to salaries are unlikely to be questioned and the attacks get bigger odds of success.

BEC/EAC attacks are a favorite with cybercriminals since they demand minimal ability, are quick to carry out, and the possible returns from a successful attack are sizeable. The normal wire transfer payments are in the amounts of tens or hundreds of thousands of bucks. Of the 467,361 complaints gotten, BEC/EAC attacks were just 6.47% (23,775), nevertheless the losses because of these attacks were $1.77 billion. These cyberattacks are regarded as the most financially upsetting type of cyber attack having an average ensuing cost of $75,000 in 2019.

BEC attacks may well cause the biggest losses, nevertheless, phishing attacks are a lot more numerous. 2019 saw 114,702 phishing attacks recorded with IC3. Phishing attacks – including pharming (website redirects), vishing (voice) and smishing (SMS) – led to $57,836,379 losses with an average loss of $504. Email continues to be the most well-known type of phishing, nevertheless, voice and SMS-based phishing attacks went up.

Ransomware attacks surely were in the news in 2019 with dozens of reported cyberattacks on companies, government institutions, healthcare providers, cities, and municipalities. A number of those attacks found ransomware demands gave above $500,000. Nevertheless, the losses because of those attacks were reasonably small, only $8,965,847 in ransom payments for 2,047 attacks, with an average of $4,400. In 2018, IC3 numbers reveal a decrease in ransomware attacks and a rise in losses. In 2019, the number of ransomware attacks went up by over 37%, whereas losses elevated by 147.5%.

Take note that the real losses as a consequence of ransomware attacks are significantly bigger since the IC3 numbers do not involve outages, remediation expenses and lost company. Additionally, a lot of victims of ransomware attacks silently paid the ransom and don’t report the cyberattacks to IC3.

In the statement, IC3 highlighted the great importance of reporting cyberattacks and how fast reporting could assist the authorities to end fake transactions and monitor people behind an attack.