Earlier this week, the FBI Internet Crime Complaint Center (IC3) released their 2020 Internet Crime Report, with updated statistics on Business Email Compromise (BEC), Email Account Compromise (EAC), and COVID-19 scams. This article will compile our understanding of the trends highlighted in the report, signifying how some things changed while others remained largely the same.
BEC and EAC Remain the Costliest Scams
The Internet Crime Report discovered an interesting BEC pattern. While there was a reduction in the number of BEC/EAC complaints (from 20,373 in 2018 to 19,369 in 2020), the reported losses increased year-over-year, from $1.29 billion in 2018 to $1.86 billion in 2020.
It’s likely that attackers have refined their BEC tactics and are confident enough to pursue higher dollar amounts in their scams. While other forms of cybercrime continue to endanger organizations’ security processes and peace of mind, BEC and EAC remain the forerunners in harming bank balances.
Fig: BEC and EAC complaints fell in 2020, but reported dollar losses increased YOY from 2018 to 2020
Learn how a typical BEC attack works in What Is Business Email Compromise? A Definitive Guide to BEC
The IC3 report also spotlights the evolution of BEC and EAC attacks since 2013, when the FBI first started tracking them. While these attacks began as relatively simple email spoofs requesting fraudulent wire payments, they have grown to encompass attacks like payroll diversion fraud, vendor email compromise, and industry-focused scams targeting sectors like real estate and healthcare.
Fig: The evolution of targeted email attacks
The Phishing Problem Persists
Since phishing attacks have existed for a long time, you might assume that the problem has already been solved. However, stats from the 2020 Internet Crime Report tell another story.
The IC3 received 241,342 complaints on phishing and related attacks like smishing, vishing, and pharming in 2020. This number increased by almost 110% from 2019 when they received 114,702 complaints.
Since these numbers constitute only reported complaints, we can assume that the real phishing impact numbers are much higher than those presented in the report.
Fig: Number of complaints on phishing, smishing, vishing, and pharming attacks increased by 110% from 2019 to 2020
This trend aligns with what the Armorblox threat research team has observed, mainly related to a consistent increase in 0-day credential phishing attacks. We have seen cybercriminals exploit Google and other free online services, impersonate known brands, and use voice in combination with email in their attempts to extract victims’ credentials.
Exploiting Trust in a Year of Uncertainty
In 2020, the IC3 received over 28,500 COVID-19 related complaints. Additionally, in mid-April of 2020, Google’s Threat Analysis Group reported that they detected 18 million COVID-19 themed malware and phishing emails per day.
During times filled with volatility and uncertainty, our brains tend to take specific shortcuts on whom to trust. We lean into trusting people we know, entities with authority, and anyone who can help reduce our uncertainty. Thus, it is disappointing (but not surprising) to see government impersonation attacks reported by the IC3 rise in 2020.
Scammers also exploited trust by replicating processes that the government had already instituted. Scammers hijacked these government measures to steal money and data, whether it was unemployment insurance, small business loans, vaccination programs, or stimulus checks.
Since the programs were already in place, scammers did not have to employ any sophisticated tradecraft other than asking for money or PII by pretending to be someone else.
Armorblox has observed persistent email attacks that use COVID-19 as a lure. Read COVID Email Scams Aren’t Going Away to learn more.
Socially Engineering the Most Vulnerable
The report highlighted some sobering statistics on how cybercriminals continue to use social engineering techniques to prey on vulnerable people.
Most COVID-19 related scams involved attackers fraudulently submitting unemployment insurance claims after stealing victims’ identities. In addition, paycheck Protection Programs (PPP) and small business economic injury disaster loans were also used in scams, harming people and businesses that were already most at risk from pandemic-related upheaval.
If we look at cybercrime victims by age group, almost 22% of all complaints involved victims over 60, with reported losses above $966 million. People over the age of 60 are often the subjects of romance scams, grandparent scams, caregiver scams, and charity scams.
Given how uncertain and isolating 2020 was for all of us, the average person would be even more likely to respond to these social engineering cues.
Guidance and Recommendations
If you or your organization are victims of a BEC attack, the IC3 provides the following guidance:
- Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal.
- File a detailed complaint with www.ic3.gov.
- Never make any payment changes without verifying them with the intended recipient directly.
- Visit the IC3 website regularly for updated PSAs regarding BEC trends and other fraud schemes targeting specific populations or industries.
Here are some additional security hygiene recommendations from the Armorblox team:
- Follow MFA and password management best practices:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use password management software to store your account passwords.
- Avoid using passwords that reference your publicly available information (date of birth, anniversary date, etc.).
- Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123,’ ‘YourName123,’ etc.
Watch out for social engineering cues
As most inboxes today are overflowing with unreads, we know that ‘read every email rationally’ is not realistic advice.
Nonetheless, everyone should carefully engage with emails related to money or data requests. Subject the email to an eye test that includes inspecting the sender name, email address, the language within the email, and any logical inconsistencies.
- Why is the IRS asking for my social security number over email?
- Why is a known vendor changing bank account details the day before an invoice is due?
Augment Native Email Security With Additional Controls
For better protection against targeted email attacks like BEC, EAC, and 0-day credential phishing, organizations should invest in technologies that take a materially different approach to threat detection from built-in email security controls like Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MSDO).
Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020 and should be a good starting point for your evaluation.
For more email security tips, threat research, and industry trends, join the Armorblox mailing list. If you’re reevaluating your email security stack and are interested in augmenting your built-in email security, schedule a demo with Armorblox to learn how we stop BEC and other targeted phishing attacks using Natural Language Understanding.