FBI: Business Email Compromise: The $43 Billion Scam

According to the FBI, business email compromise (BEC) and email account compromise (EAC) losses have surpassed $43 billion globally. (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.

STATISTICAL DATA

The BEC/EAC scam continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions. Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars.

Derived from filings with financial institutions between June 2016 and December 2021:

Domestic and international incidents:                            241,206

Domestic and international exposed dollar loss:         $43,312,749,946

The following BEC/EAC statistics were reported in victim complaints to the IC3 between October 2013 and December 2021:

Total U.S. victims:                                                                 116,401

Total U.S. exposed dollar loss:                                          $14,762,978,290

Total non-U.S. victims:                                                        5,260

Total non-U.S. exposed dollar loss:                                 $1,277,131,099

Experts Comments

May 06, 2022
John Gunn
CEO
Token

The losses are massive and growing but these numbers don't reveal the full threat. Consider that very few companies will report an attack unless they suffer a significant loss and you can see that the volume of attacks is likely an order of magnitude greater. The best defense remains a rock-solid multifactor authentication solution that eliminates the risks associated with compromised user credentials and stolen passwords. This prevents unauthorized access to email accounts and would prevent

.....Read More

The losses are massive and growing but these numbers don't reveal the full threat. Consider that very few companies will report an attack unless they suffer a significant loss and you can see that the volume of attacks is likely an order of magnitude greater. The best defense remains a rock-solid multifactor authentication solution that eliminates the risks associated with compromised user credentials and stolen passwords. This prevents unauthorized access to email accounts and would prevent more than half of the successful attacks.

  Read Less
May 06, 2022
Dave Cundiff
Vice President
Cyvatar

Reading the FBI’s report tends to hold true to expected trends given the attack visibility over the last couple of years. There has been some speculation of the Pandemic creating a more target rich environment, and while I believe this to be true in a number of cases, I believe the business email and email account compromises are simply more noticeable with the remote work force.

Unpatched exchange servers and exposure were still occurring pre-pandemic, and I would contend given the frequency

.....Read More

Reading the FBI’s report tends to hold true to expected trends given the attack visibility over the last couple of years. There has been some speculation of the Pandemic creating a more target rich environment, and while I believe this to be true in a number of cases, I believe the business email and email account compromises are simply more noticeable with the remote work force.

Unpatched exchange servers and exposure were still occurring pre-pandemic, and I would contend given the frequency of patching, most likely still are occurring now. However, the phishing attacks and users unknowingly freely giving up their passwords are the most likely culprit in these cases. A focus on user education and a move to at least some form of multifactor authentication is needed across the user space bot in a personal and professional capacity. Far too many users will interconnect email and calendar services to make their lives more efficient not realizing the risk they introduce.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.