According to the FBI, business email compromise (BEC) and email account compromise (EAC) losses have surpassed $43 billion globally. (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
STATISTICAL DATA
The BEC/EAC scam continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions. Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars.
Derived from filings with financial institutions between June 2016 and December 2021:
Domestic and international incidents: 241,206
Domestic and international exposed dollar loss: $43,312,749,946
The following BEC/EAC statistics were reported in victim complaints to the IC3 between October 2013 and December 2021:
Total U.S. victims: 116,401
Total U.S. exposed dollar loss: $14,762,978,290
Total non-U.S. victims: 5,260
Total non-U.S. exposed dollar loss: $1,277,131,099
The losses are massive and growing but these numbers don\’t reveal the full threat. Consider that very few companies will report an attack unless they suffer a significant loss and you can see that the volume of attacks is likely an order of magnitude greater. The best defense remains a rock-solid multifactor authentication solution that eliminates the risks associated with compromised user credentials and stolen passwords. This prevents unauthorized access to email accounts and would prevent more than half of the successful attacks.
Reading the FBI’s report tends to hold true to expected trends given the attack visibility over the last couple of years. There has been some speculation of the Pandemic creating a more target rich environment, and while I believe this to be true in a number of cases, I believe the business email and email account compromises are simply more noticeable with the remote work force.
Unpatched exchange servers and exposure were still occurring pre-pandemic, and I would contend given the frequency of patching, most likely still are occurring now. However, the phishing attacks and users unknowingly freely giving up their passwords are the most likely culprit in these cases. A focus on user education and a move to at least some form of multifactor authentication is needed across the user space bot in a personal and professional capacity. Far too many users will interconnect email and calendar services to make their lives more efficient not realizing the risk they introduce.