Business email compromise (BEC) scams are squeezing more money than ever out of victims, and accounted for more than half of all losses from cyberattacks last year, according to the FBI 2019 Internet Crime Report released on Tuesday (Feb. 11).
An estimated $1.77 billion in losses were due to BEC cons, which are also known as EAC (Email Account Compromise) crimes. In 2018, BEC losses hit $1.2 billion. By comparison, in 2017 BEC losses totaled $675 million.
All told, the FBI received 467,361 internet and cybercrime complaints in 2019, with loss estimates in excess of $3.5 billion. The top three crime types reported by victims in 2019 were phishing/vishing/smishing/pharming, non-payment/non-delivery, and extortion.
BEC/EAC targets businesses performing wire transfer payments. Fraudsters use social engineering and other tricks to try and trick people into wiring money into the wrong bank accounts. In a common scenario, hackers either compromise or spoof an email account for a legitimate person or company. The scam typically instructs someone in the office to charge a bank account for an employee’s salary or for some other type of payment.
These types of scams are growing in popularity because they're easy to execute and no advanced coding skills are needed.
Phishing/smishing/vishing scams accounted for $500 in losses per complaint, while ransomware averaged $4,400.
"In 2019, the IC3 [Internet Crime Complaint Center] observed an increase in the number of BEC/EAC complaints related to the diversion of payroll funds," the FBI said. "In this type of scheme, a company's human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a pre-paid card account."
Armor and Emsisoft reported that in 2019, ransomware hit 113 state and municipal governments and agencies; 764 healthcare providers; and 89 universities, colleges and school districts, with operations at up to 1,233 individual schools potentially affected.
Numerous experts told ZDNet that BEC and ransomware attacks are expected to continue to rise in 2020.
Ransomware cyberattacks are up 41 percent over last year, with 205,280 enterprises having lost access to hacked files, according to data from Emsisoft. Companies paid an average of $84,116 in the last quarter of 2019 to get their files back from online thieves, according to data from security firm Coveware.