Business Email Compromise (BEC) attacks have become a €43 billion industry, the FBI has warned, urging businesses to be on their guard.
In a recent report released by the Federal Bureau of Investigation (FBI), between July 2019 and December 2021, the number of identified global losses due to email business scams increased by nearly two-thirds (65%).
The figures are based on incidents reported to the Internet Crime Complaint Center (IC3) and mean that BEC attacks are now more lucrative than those in the global tuna industry or the global used clothing industry.
Covid and crypto
The FBI attributes this growth in BEC scams in part to the Covid-19 pandemic and lockdown, further stating that during this time this type of fraud was reported in all 50 US states and 177 countries in total.
Further reinforcing the thesis that BEC is a global problem, the FBI found that 140 countries were receiving fraudulent transfers, with banks in Thailand and Hong Kong being the main international destinations for funds from stolen terminals, although Mexico, Singapore and China also they were at the top. the list.
A total of €43.3 billion was lost between June 2016 and December 2021.
The FBI has also looked into the role cryptocurrencies play in the rise of BEC scams, suggesting that it widens the playing field for scammers.
IC3 tracked down two iterations of cryptocurrency-targeted BEC scams: one in which the victim unknowingly sent funds directly to a cryptocurrency exchange and another, called a "second hop transfer," in which the attackers create accounts on exchanges. of cryptocurrencies using personally identifiable information stolen from victims of other types of attacks (extortion, tech support, romance). Only after the funds have been sent to this account do the scammers transfer them elsewhere.
Cryptocurrency-oriented BEC scams are also becoming more devastating. In 2019, less than €5 million in losses were reported. Last year it reached $40 million, and the FBI expects that number to rise even more in the future.
More often than not, attacks revolve around people being tricked into willingly sending funds, rather than deploying viruses on victims' devices.