Connect with us

Hi, what are you looking for?


Email Security

Business Email Compromise Still Reigns

Last month, the Federal Bureau of Investigation released its 2018 Internet Crime Complaints Center (IC3). The annual report provides readers a glimpse into the types of cybercrimes being reported to the FBI and the trending threats the Bureau has responded to in the last year.

Last month, the Federal Bureau of Investigation released its 2018 Internet Crime Complaints Center (IC3). The annual report provides readers a glimpse into the types of cybercrimes being reported to the FBI and the trending threats the Bureau has responded to in the last year. In 2018 alone, the IC3 responded to over 350,000 complaints, an average of more than 900 a day, and observed an estimated $2.7 billion in financial losses as a result of reported cybercrime. Of the almost $3 billion in losses, Business Email Compromise (BEC) or Email Account Compromise (EAC) fraud accounted for nearly $1.3 billion of adjusted loss, equaling almost half of the overall reported losses for 2018.

Why is BEC so prevalent?

BEC/EAC scams cost nearly $1 billion more in adjusted losses than the next highest attack, Confidence/Romance scams, which reported a loss amount of $362 million. This significant difference shows the prevalence of BEC scams. When analyzing the market for stolen corporate email accounts, researchers from Digital Shadows found that corporate email accounts can be compromised for as little as $150. According to the FBI these scams, targeting both businesses and individuals, have resulted in $12 billion in losses since October 2013. There are plenty of opportunities for attackers, too; there are already more than 33,000 accounting email credentials already publicly exposed, and 12.5 million email archive files exposed across misconfigured online file stores.

Mitigating BEC risks

BEC scams are becoming increasingly profitable for threats actors, making it easier for adversaries to gain access to the valuable information that sits within email inboxes. Organizations may not be able to mitigate these issues entirely; however, tightening up processes will ensure data exposure is kept to a minimum. 

• Update security awareness training content to include BEC scenarios.

• Develop BEC contingency plans per existing incident response/business continuity planning for ransomware and malware.

Advertisement. Scroll to continue reading.

• Build in manual controls, as well as multiple person authorizations, to approve significant wire transfers in concert with wire transfer application vendors.

• Monitor for exposed credentials, including finance department emails and user accounts that could be used to perform account takeovers.

• Conduct ongoing assessments of executives’ digital footprints and take measures to remove sensitive data that could leave them exposed. 

• Set limits for third parties who may inadvertently create risk. Contractors who back up their emails on Network Attached Storage (NAS) devices should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default. 

In addition to these precautions, the IC3’s dedicated Recovery Asset Team (RAT), established in February 2018 to open more direct communication channels with financial institutions to help combat BEC/EAC fraud, has shown a recovery rate of 75%. Additionally, a new role at IC3 called Victim Specialists-Internet Crimes (VSIC) provides crisis intervention and critical resources to victims of cybercrime activity.

A look at other attacks

According to the FBI, extortion-style attacks also increased in 2018, rising 242% from the previous year and resulting in a reported $83 million in losses. The majority of extortion complaints handled by the IC3 were related to the mass sextortion campaigns being distributed in the latter half of the year. 

Less common than BEC fraud, but noteworthy for its high financial impact, are payroll diversion scams. In this exploit, a threat actor gains access to an employee’s payroll account, disables any notifications that may alert the employee to account changes, and replaces the employee’s direct deposit information with their own. According to IC3’s statistics, payroll diversion averaged $1 million per incident compared to BEC’s almost $59,000. From the 100 complaints of victims reportedly affected by a payroll diversion scam, the combined losses totaled $100 million.

IC3 complaints and reported losses are increasing

Since 2014 complaints to IC3 have steadily increased, but 2018 saw an alarming escalation, with approximately 50,000 more complaints lodged than in 2017, or nearly 15 times more than the previous year’s gains. 

The FBI maintains national and global partnerships with public and private industries and can bring the full weight of the entire U.S. intelligence community when conducting investigations. In the immediate aftermath of a potential incident or attack the FBI recommends companies:

• Follow the company emergency plan and start protecting data

• Call the local FBI field office

• Either preserve the original media as evidence or make a forensic image

• Conduct internal analysis from a copy rather than original (if possible)

• Gather all pertinent log files including DNS, firewall, proxy, system event logs, etc. Contact ISP for possibility of additional logs.

• Conduct damage assessment including damage valuation

The above information can be extremely helpful for investigators. Additionally, if you wish to file a direct complaint online, visit the Internet Crime Complaint Center.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...