Earlier this week, the FBI Internet Crime Complaint Center (IC3) released their 2020 Internet Crime Report, with updated statistics on Business Email Compromise (BEC), Email Account Compromise (EAC), and COVID-19 scams. This article will compile our understanding of the trends highlighted in the report, signifying how some things changed while others remained largely, and sadly, the same.
BEC and EAC Remain the Costliest Scams
The Internet Crime Report threw up an interesting BEC pattern. There was a reduction in the number of BEC/EAC complaints, from 20,373 in 2018 to 19,369 in 2020. However, the reported losses increased year-over-year, from $1.29 billion in 2018 to $1.86 billion in 2020.
It’s likely that attackers have refined their BEC tactics and are now confident enough to go after the bigger fish and/or ask for higher dollar amounts in their scams. While other forms of cybercrime continue to present a danger to organizations’ security processes and peace of mind, BEC and EAC remain the forerunners in harming their bank balance.
Fig: BEC and EAC complaints fell in 2020, but reported dollar losses increased YOY from 2018 to 2020
Arjun, our Head of Engineering, covers how a typical BEC attack works and common attacker techniques used here.
The report also shines a spotlight on the evolution of BEC and EAC attacks since 2013, when the FBI first started tracking them. While these attacks started out as relatively simple email spoofs of CEOs or CFOs requesting fraudulent wire payments, they have grown to encompass attacks such as payroll diversion fraud, vendor email compromise, as well as industry-focused scams targeting sectors like real estate and healthcare.
Fig: The evolution of targeted email attacks
The Phishing Problem Has Not Been Solved
Since phishing attacks have been in the public consciousness for such a long time, one would be forgiven for assuming that the problem has already been addressed. Stats from the 2020 Internet Crime Report tell another story.
The IC3 received 241,342 complaints on phishing and related attacks like smishing, vishing, and pharming in 2020. This number increased by roughly 110% from 2019, where the IC3 got 114,702 complaints. Since these numbers constitute only reported complaints, we can assume that the real phishing impact numbers are much higher than the ones presented in the report.
Fig: Number of complaints on phishing, smishing, vishing, and pharming attacks increased by 110% from 2019 to 2020
This trend aligns with what the Armorblox threat research team has observed, particularly related to a consistent increase in 0-day credential phishing attacks. We have seen cybercriminals exploit Google and other free online services, impersonate known brands, and use voice in combination with email in their attempts to extract victims’ credentials.
Exploiting Trust in a Year of Uncertainty
In 2020, the IC3 received over 28,500 complaints related to COVID-19. In mid-April last year, Google’s Threat Analysis Group reported that they detected 18 million COVID-19 themed malware and phishing emails per day.
During times filled with volatility and uncertainty (2020 certainly fits this description), our brains tend to take certain shortcuts on whom to trust - we lean into trusting people we know, entities with authority, and anyone who can help reduce our uncertainty. Thus, it is disappointing but not surprising to see the rising volume of government impersonation attacks reported by the IC3 in 2020.
Scammers also exploited trust by replicating processes that the government had already instituted. Whether it was unemployment insurance, small business loans, vaccination programs, or stimulus checks - scammers hijacked the context behind all these government measures to steal money and data. Since the context did all the hard work, scammers did not have to employ any sophisticated tradecraft, but rather just ask for money or PII in a persuasive manner by pretending to be someone else.
Armorblox has observed a persistent pattern of email attacks that use COVID-19 as a lure. Read our research advisory note from a couple of months ago if you’re interested to learn more.
Socially Engineering the Most Vulnerable
The report highlighted some sobering statistics on how cybercriminals continue to employ social engineering techniques to prey on vulnerable members of our society. Most of the COVID-19 related scams involved attackers fraudulently submitting unemployment insurance claims after stealing victims’ identities. Paycheck Protection Programs (PPP) and small business economic injury disaster loans were also used in scams, harming people and businesses that were already most at risk from pandemic-related upheaval.
If we look at cybercrime victims by age group, almost 22% of all complaints involved victims over the age of 60, with reported losses in excess of $966 million. People over the age of 60 are often the subjects of romance scams, grandparent scams, caregiver scams, and charity scams. Given how uncertain and isolating 2020 was for all of us, the average person would be even more likely to respond to these social engineering cues.
Guidance and Recommendations
If you or your organization are victims of a BEC attack, the IC3 provides the following notes of guidance:
- Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal.
- File a detailed complaint with www.ic3.gov.
- Never make any payment changes without verifying the change with the intended recipient.
- Regularly visit the IC3 website for updated PSAs regarding BEC trends as well as other fraud schemes targeting specific populations or industries.
Here are some additional security hygiene recommendations from the Armorblox team:
- Follow MFA and password management best practices: Deploy multi-factor authentication (MFA) on all possible business and personal accounts. Don’t use the same password on multiple sites/accounts. Use a password management software to store your account passwords. Avoid using passwords that reference your publicly available information (date of birth, anniversary date etc.). Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc.
- Watch out for social engineering cues: As most inboxes today are overflowing with unreads, we know that ‘read every email rationally’ is not realistic advice. Nonetheless, everyone should try and engage with emails related to money or data requests in a circumspect manner. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. why is the IRS asking for my social security number over email, why is a known vendor changing bank account details the day before an invoice is due, etc.)
- Augment native email security with additional controls: For better protection coverage against targeted email attacks like BEC, EAC, and 0-day credential phishing, organizations should invest in technologies that take a materially different approach to threat detection from that of built-in email security controls like Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MSDO). Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.
For more email security tips, threat research, and industry trends, join the Armorblox mailing list. If you’re reevaluating your email security stack and are interested in augmenting your built-in email security, schedule a demo with Armorblox to learn how we stop BEC and other targeted phishing attacks using Natural Language Understanding.