Cybercrime Still Growing: Phishing and Business Email Compromise Lead The Way

Cybercrime led to $3.5 billion in losses in the U.S. last year, with a sharp uptick in business email compromise scams – which accounted for nearly half those losses, according to a newly released FBI Internet Crime Report, which is based on complaints the FBI received.

Donna Gregory, the head of the FBI’s Internet Crime Complaint Center, emphasizes that the FBI isn’t seeing a ton of new types of fraud but rather criminals using new tactics and techniques to carry out existing scams.

“Criminals are getting so sophisticated,” Gregory says. “It is getting harder and harder for victims to spot the red flags and tell real from fake.”

Overall, the FBI received nearly 24,000 complaints about BEC scams last year, with a total loss of $1.7 billion. For comparison, during that same time period 2,047 ransomware attacks were reported to the FBI with losses of about $8.9 million.

BEC Scam Trends
BEC scams typically start with attackers stealing the email credentials of a top executive through phishing or other methods.

The attackers then impersonate that executive, sending urgent messages to lower-level employees to transfer or wire money to bank accounts. These scams, which typically involve a criminal spoofing a legitimate email address, are a low-cost way to target potentially high-value victims.

Targeting Payroll
In the IC3 report, FBI agents noted an increase in the number of BEC complaints related to fraudsters targeting payroll funds in order to divert that money to their accounts, according to the report.

“In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period,” according to the report. “The new direct deposit information generally routes to a pre-paid account.”

Targeting Financial Documents
Some cybercriminals are focusing on accessing companies’ financial documents. One criminal group, for example, has turned their attention to stealing “aging reports” from companies’ financial and accounts receivable departments. Aging reports show unpaid invoice balances along with the duration that these balances have been outstanding.

BEC fraudsters are using the details in these aging reports to expand their scams by posing as company officials trying to collect money from clients who have unpaid balances.

Not Going Anywhere
Fraudsters are using BEC scams because they’re relatively easy to launch.
All it takes is one spoofed, socially engineered email that plays on human nature to respond quickly and act.

It’s far easier to manipulate one person to click on an email, provide their login credentials, download a PDF from a cloud application, or wire funds to a fraudulent bank account. Email is an extremely lucrative path for criminals with an estimated cost of $300 million a month in the U.S. alone.

The best way to counter these schemes is through training and a layered defense network. Always encourage employees to verify financial requests through a trusted channel.

If you have questions about business email compromise or any other IT security issues, call ITPAC today.