Business Email Compromise Losses Climb to $26 Billion

The FBI Internet Crimes Complaint Center (IC3) issued a new alert yesterday, with updated statistics on Business Email Compromise (BEC) attacks. Global exposed dollar losses between June 2016 and July 2019 totaled $26,201,775,589. That translates to more than $26 billion lost over three years, or over $300 million a month.

These numbers align with those reported by the Financial Crimes Enforcement Network (FinCEN), a division of the US Treasury, just a month ago. BEC continues to pose significant financial risk to organizations globally.

According to the alert, BEC scams have been reported in all 50 states in the U.S., as well as 177 countries. Fraudulent wire transfers have been sent to over 140 countries, but banks in China and Hong Kong remain the primary destinations.

Payroll Diversions

The alert also notes a dramatic spike in the number of payroll diversion incidents reported. Complaints increased 815% between January 2018 and July 2019. Payroll diversions are a form of BEC scam where the payroll department receives an email appearing to be from an employee, requesting a change to their direct deposit information. This email is sent either using a spoofed email address, or the individual’s email account using stolen credentials.

Figure 1: Payroll diversion losses as reported by FBI IC3

Payroll diversion attacks are usually preceded by a phishing attack designed to steal usernames and passwords. Email is the attack surface in both cases.

BEC as a Top Security Initiative

Given these statistics, it’s not surprising that BEC has become a top security initiative in 2019. As financial losses continue to mount, organizations are struggling to put adequate safeguards in place. Stopping BEC scams requires fixing the underlying business processes.

The FBI recommends adding secondary-channel verification or two-factor authentication to email workflows. But this is easier said than done. CISOs often have to strike a difficult balance between productivity and security. Email pervades because of its simplicity and accessibility, and ingrained workflows are difficult to change.

Figure 2: Top Security Projects in 2019, Neil MacDonald, VP Analyst, Gartner Security & Risk Management Summit 2019

In the absence of workflow changes, CISOs need the tools necessary to gain visibility into these workflows and detect fraudulent emails. All of this requires a contextual understanding of the contents of the email itself. Natural Language Understanding (NLU) Platforms such as Armorblox can understand tone, sentiment, and writing styles to accurately detect BEC attacks and notify end-users before they execute the fraudulent transfers. They can also alert security analysts about insider threats when someone inside your organization is sending BEC emails, either maliciously or as a result of account takeover.

BEC Mitigation Strategies

If you are a victim of a BEC attack, immediately contact the FBI IC3 via their dedicated BEC contact page, as well as your financial institution. Under some circumstances, wire transfers can be blocked or reversed, and you can recover the lost funds. However this requires the funds to remain in the destination accounts. BEC scammers know this, and are quick to transfer the funds out, or convert them to untraceable crypto-currency. Timely detection is critical.

In addition, continue to educate and train your employees to recognize suspected scam emails, and invest in modern email security solutions like Armorblox that can not only detect BEC threats, but also protect your employees by blocking, quarantining, or alerting them about the potential risks.

For more information, read this white paper on Securing the Human Layer, or contact us to see the Armorblox platform in action. You can also subscribe to the Armorblox Blog for regular updates on BEC attacks and other threats.