The FBI has just released its Internet Crime Complaint Center (IC3) 2020 Internet Crime Report. Some of the statistics from this report may shock you. For starters, did you know that the IC3 received 791,790 complaints of suspected internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion.
While these stats on their own are shocking enough, it seems the biggest threat to businesses wasn’t from ransomware, but from Business Email Compromise (BEC). Graham Cluley examines this more closely in his blog. While loses from ransomware totaled $29 million, BEC cost businesses a whopping $1.8 billion. Of course, there are concerns that some of the costs of ransomware are underreported. Indeed, IC3 has added this footnote to its report: “Regarding ransomware adjusted losses, this number does not include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by a victim. In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low overall ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents.”
So, what is Business Email Compromise? The FBI defines it as “a scam targeting businesses (not individuals) working with foreign suppliers and/or businesses regularly performing wire transfer payments. These sophisticated scams are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.”
BEC scams have evolved since 2013, when these attacks typically spoofed email accounts of chief executive officers or chief financial officers and requested wire payments. The scams have since evolved to compromise personal emails and vendor emails. In 2020, the IC3 saw more BEC complaints detail identity theft and funds being converted into cryptocurrency. Once the funds are converted to cryptocurrency, it is impossible to trace and get it back.
What should your business do to protect itself from BEC? For starters, staff training on how to recognize and respond to BEC attacks is key. As far as a technology-based solution, Domain-based Message Authentication Reporting and Conformance (DMARC) is one of the most effective mechanisms for combating BEC scams and phishing attacks. DMARC is designed to give email domain owners the ability to protect their domain from unauthorized use. It is also useful for generating aggregate and forensic reports, for monitoring email traffic and identifying potential security risks.
If you suspect you may be a victim of BEC, contact your financial institution and authorities right away. The sooner you act, the greater chance there is to recover your funds. In addition, you should contact an MSSP to help investigate the BEC and to help you put in safeguards to prevent it from happening again. Contact Uzado to find out how we can help.