FBI says business email compromise is a $43 billion scam

The Federal Bureau of Investigation (FBI) said today that the amount of money lost to business email compromise (BEC) scams continues to grow each year, with a 65% increase in the identified global exposed losses between July 2019 and December 2021.

From June 2016 until July 2019, IC3 received victim complaints regarding 241,206 domestic and international incidents, with a total exposed dollar loss of $43,312,749,946.

“Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds,” the FBI said.

“China, which ranked in the top two destinations in previous years, ranked third in 2021 followed by Mexico and Singapore.”

This was revealed in a new public service announcement published on the Internet Crime Complaint Center (IC3) site as an update to a previous PSA from September 2019, when the FBI said losses to BEC attacks reported by victims between June 2016 and July 2019 reached a total of over $26 billion. 

According to the IC3 2021 Internet Crime Report [PDF], BEC scams were the cybercrime type with the highest reported total victim losses last year.

Victims reported losses of almost $2.4 billion in 2021, based on 19,954 recorded complaints linked to BEC attacks targeting individuals and businesses.

BEC scam?

BEC scammers are employing various tactics — including social engineering, phishing, and hacking — to compromise business email accounts which will get used to redirect payments to attacker-controlled bank accounts.

In this type of scam (also known as EAC or Email Account Compromise), the crooks will commonly target small, medium, and large businesses. Still, they’re also attacking individuals if the payout is worth it. 

Their success rate is also very high, given that they generally impersonate someone who has the target’s trust, such as business partners or company executives.

However, “the scam is not always associated with a transfer-of-funds request,” as the FBI explained in the PSA alert.

“One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets.”

BEC defense guidance

The FBI also provided guidance on how to defend against BEC scam attempts:

• Use secondary channels or two-factor authentication to verify requests for changes in account information.
• Ensure the URL in emails is associated with the business/individual it claims to be from.
• Be alert to hyperlinks that may contain misspellings of the actual domain name.
• Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
• Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
• Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
• Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

The federal law enforcement agency advises those who fall victim to BEC fraud to immediately reach out to their bank to request a recall of funds.

They’re also urged to file a complaint with the FBI at BEC.ic3.gov, regardless of the lost amount, and as soon as possible.