Security Experts:

Loss to BEC Fraud Now Claimed to be $26 Billion

The FBI has published upgraded figures from the Internet Crime Complaint Center (IC3) describing business email compromise (BEC) as a $26 billion scam. The figure is aggregated from 166,349 domestic and international victim complaints received by IC3 between June 2016 and July 2019 comprising a total loss of $26,201,775,589.

It is not entirely clear how this total was reached. A breakdown of various statistics obtained, says the announcement, "from multiple sources, including IC3 and international law enforcement complaint data and filings from financial institutions between October 2013 and July 2019", totals $19,575,725,966. Within these figures, just $11,188,650,257 is specifically related to BEC/EAC. The rest is more loosely titled as 'victim complaints'.

Further confusion comes from the figures stated in this year's 2018 Internet Crime Report  from the IC3. It claims that BEC fraud accounted for $1.298 billion in 2018. If this figure is removed from the total figure now given for 2013 to 2019, then the average loss for the remaining years would be even higher at more than $1.750 billion.

It seems likely that the $26 billion figure is aggregated from multiple types of email-based fraud, including varieties such as romance and lottery scams. Both of these frauds are mentioned in a separate simultaneous announcement from the DoJ titled, '281 Arrested Worldwide in Coordinated International Enforcement Operation Targeting Hundreds of Individuals in Business Email Compromise Schemes'. It seems, for whatever reason, the FBI has begun to put all email-based fraud under the overall title of 'BEC'.

There are strong arguments for law enforcement to treat such crimes together. A Unit 42 (Palo Alto's threat intelligence team) report in May 2019 noted that Nigerian criminals have evolved from email-delivered Nigerian Prince scams, to sophisticated RAT-supported BEC. In June 2019, Agari suggested that in Nigeria, there are no separate BEC gangs, and romance scam gangs, and agency fraud gangs -- it is just one social engineering gang. 

The same criminals are engaged in multiple types of email scam, so it makes sense for law enforcement to treat them together. BEC may be the wrong heading since it stands out from most other scams. It only involves business, it generally involves direct payments (and therefore no mules), and doesn't normally require victim grooming.

Although the strict BEC scam has probably not increased to the extent suggested by the headlines, there is little doubt that it has increased, and is still increasing, dramatically. "The BEC/EAC scam continues to grow and evolve, targeting small, medium, and large business and personal transactions," states the FBI. "Between May 2018 and July 2019, there was a 100 percent increase in identified global exposed losses." The FBI suggests that the higher figures may partly be due to increased awareness of the scam/s, leading to more consistent reporting to IC3.

However, it is also driven by a noticeable criminal migration from malware to social engineering. Discussing the 2019 Verizon DBIR, Alex Pinto, head of Verizon security research, told SecurityWeek that the DBIR figures suggest 'a flight to ease'.  "It's the game of security," he said. "We make something harder [with improved security], so the criminals switch to the next easiest thing that will keep their money flowing... why bother hacking companies when we can just email the CFO and get him to send us money?"

There is little doubt that BEC attacks are increasing simply because of the high rate of return over criminal effort. But it is equally likely that that such attacks will increase in both number and quality through the use of emerging technology -- such as deepfake audio and video. Deepfakes can reproduce the voice or voice and video of an individual with high accuracy and little cost. 

"Creating a deepfake video is already inexpensive using cloud services -- perhaps $100 to $500," ZeroFOX principal research engineer Matt Price told SecurityWeek. "And the vast majority of the code that you need is already open-sourced and fairly well-packaged." It is inevitable that criminals will use deepfakes in future BEC attacks -- and in fact it has already started. 

It was reported this month that the CEO of an unnamed UK-based energy firm was persuaded by the apparent voice of the CEO of the German parent company to wire a little under $250,000 to a Hungarian bank account. If Price's costings are anywhere near accurate, then a return of $250,000 on a cost of $500 indicates a very high RoI for the criminals -- and as such, this type of attack will only increase.

However much of the FBI's figure of $26 billion is down to business email compromise, both social engineering scams in general and BEC scams in particular are set to grow. That overall figure will likely increase over the next few years.

Related: Scammers Grab $2.5 Million From North Carolina County in BEC Scam 

Related: Man Pleads Guilty Over $100M BEC Scheme Targeting Google, Facebook 

Related: New Variant of BEC Seeks to Divert Payroll Deposits 

Related: Preventing Business Email Compromise Requires a Human Touch

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.