JRB - Fotolia

FBI says $26B lost to business email compromise over last 3 years

On the same day that 281 suspects were arrested in business email compromise stings, the FBI said worldwide losses from BEC attacks reached $26 billion over the last three years.

Business email compromise has cost a staggering amount of money for enterprises, according to the FBI.

The bureau posted a public service announcement Tuesday that showed business email compromise (BEC) attacks have cost organizations worldwide more than $26 billion between June 2016 and July of this year. The three-year total is based on actual victim complaints reported to the FBI's Internet Crime Complaint Center (IC3). Earlier this year, the IC3's 2018 Internet Crime Report highlighted business email compromise as an evolving threat that accounted for a growing number of cybercrime-related losses for enterprises.

"The scam is frequently carried out when a subject compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds," the FBI wrote in its alert.

The FBI also said it tracked a 100% increase in global losses from business email compromise attacks between May 2018 and July of this year. The bureau said the increase was partially due to a greater awareness of the threat, which the FBI said "encourages reporting to the IC3 and international and financial partners."

Losses from business email compromise attacks have alarmed some in the cyber insurance market. Jeffrey Smith, managing partner at Cyber Risk Underwriters, said during a Black Hat 2019 session that two most common cyber insurance claims his company saw were for ransomware and wire transfer fraud related to email attacks.

"Ransomware isn't too surprising, but the wire transfer fraud claims we're seeing are trending in a bad direction," Smith said. "If you're sending a wire [transfer], just pick up the phone and call the person who's getting it."

In July, insurance giant American International Group (AIG) Inc. reported that business email compromise attacks had become the leading cause of cyber insurance claims, surpassing ransomware. According to AIG's report, business email compromise accounted for nearly a quarter of all reported cyber incidents in 2018 for the EMEA region.

The FBI alert recommended that employees enable two-factor authentication to protect against threat actors looking to assume control of email accounts. The alert also recommended employees "ensure the URL in emails is associated with the business it claims to be from," though this step wouldn't necessarily prevent business email compromise attacks where attackers have gained control of legitimate email accounts within an organization.

Law enforcement takedowns

Shortly after the FBI alert was issued, the U.S. Department of Justice (DOJ) announced that 281 individuals had been arrested in "Operation reWired," a global law enforcement effort to take down business email compromise campaigns.

Operation reWired was conducted over a fourth-month period and resulted in seizures of nearly $3.7 million in assets. Arrests were made in the U.S., Nigeria, France, Italy, Japan, Turkey, the U.K. and other countries, with 74 arrests made in the U.S. and 167 arrests in Nigeria; the Justice Department said foreign individuals who conduct business email compromise scams "are often members of transnational criminal organizations, which originated in Nigeria but have spread throughout the world."

The DOJ didn't say what the total losses were for the business email compromise scams disrupted by Operation reWired, but it did note that suspects were involved in a range of attacks, including "lottery scams" -- where threat actors convince victims to pay phony fees or taxes in order to receive lottery payouts -- and "romance scams" -- where fake online personas trick victims into making fraudulent transfers or transactions.

"Through Operation reWired, we're sending a clear message to the criminals who orchestrate these BEC schemes: We'll keep coming after you, no matter where you are," said FBI Director Christopher Wray in a statement. "And to the public, we'll keep doing whatever we can to protect you. Reporting incidents of BEC and other internet-enabled crimes to the IC3 brings us one step closer to the perpetrators."

Next Steps

FBI IC3 report's ransomware numbers are low, experts say

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing