The FBI warned the global cost of business email compromise (BEC) attacks is $43 billion for the time period of June 2016 and December 2021. According to FBI report, where it received information provided by well known registered cybersec consultants to the U.S. government such as Miami based Intelprise, there were over 241,206 complaints were lodged by the agency’s Internet Crime Center (IC3).
BEC or email account compromise (EAC) are an advanced scamming technique that targets both employees and business and the businesses they work for.
Scam include social engineering as a means to compromise a legitimate business or personal email account or to perform an unauthorized transfer of funds. The FBI is also warning that another popular variations of the scam include collecting Personal Identifiable Information (PII) in order to perpetrate additional fraud such as tax-related scams and breaching cryptocurrency wallets.
Statistics of BEC/EAC Scams
According to IC3, the BEC scam victims have been reported in all 50 states of the US and 177 countries. Additionally, 140 countries received fraudulent transfers.
The IC3 revealed that banks located in Thailand and Hong Kong were the primary destination for fraudulent funds, followed by China, Mexico, and Singapore.
In the public service announcement by IC3, the losses recorded in the US are much larger in comparison to non-US victims. Between October 2013 and December 2021, a total of 116,401 US victims reported a total loss of $14.8 billion, whereas in the same period 5,260 non-US citizens reported losses of $1.27 billion.
The FBI believes that a 65 percent spike in BEC scams between July 2019 and December 2021 could be partly caused by the pandemic as there were restrictions placed on normal business activities and everything shifted to virtual mode.
“Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars,” IC3 reported.
“This increase can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually,” IC3 added.
BEC Fraud Related to Cryptocurrency
The IC3 mentioned in the public service announcement that they have received an increased number of BEC complaints involving cryptocurrency.
The cryptocurrency which is a virtual asset that uses cryptographic algorithms to secure financial transactions is now turned into a $3 trillion market cap in November 2021.
The degree of anonymity associated with cryptocurrency is popular among illicit threat actors and derives them to conduct crypto-related fraud.
The IC3 reported two different variations of the BEC scam involving cryptocurrency. The first one is the Direct Transfer to a cryptocurrency exchange (CE), which is similar to the traditional BEC fraud. Another one involves the ‘second hop’ for cryptocurrency exchange.
In the second hop transfer, victims are tricked to provide the identifying information such as a License or passport, an attacker uses this information to open a cryptocurrency wallet in the victims’ name. Generally, threat actors use other cyber-enabled scams (Extortion, Tech Support, and Romance Scams) to allure the victim.
According to IC3, The usage of crypto-currency was regularly reported to them but it was not identified as a ‘BEC-specific’ crime until 2018. In 2019 the reports increased and IC3 received reports of $10 million in losses from cryptocurrency by 2020. In 2021, the crypto-currency-related losses surges to $40 million.