Business Email Compromise (BEC) and Email Account Compromise (EAC) cost the victimized business over $1.8 billion, representing 44% of all reported business and consumer losses last year
The FBI’s Internet Crime Complaint Center (IC3) just published its annual Internet Crime Report, in which they detailed the attacks affecting organizations globally in 2020, as well as the financial losses associated with the reported complaints.
The report reveals that victims of cybercrime reported 791,790 complaints with a total loss of $4.2 billion for the year—an increase of more than 300,000 complaints (up 69.4%) and $700 million reported losses (up 20%) for 2019. Let’s take a look at the top takeaways from this year’s report
Business Email Compromise
While ransomware continues to dominate the cybercrime headlines, business email compromise (BEC)/ email account compromise (EAC) and phishing were among the leading threats. BEC was called out as one of the two “Hot Topics for 2020”. The financial losses attributed to BEC/EAC scams were 64 times more than ransomware, and these BEC/EAC scams comprised 44% of all losses in 2020. And yet, complaints filed regarding BEC/EAC attacks were not as many as one would expect— they only accounted for 2.4% of total complaints. The statistics from the report affirm a couple of things:
- Unlike general phishing threats, BEC/EAC scams are highly targeted
- While BEC/EAC threats are low volume, they represent huge dollar losses
The FBI warned the public that the BEC/EAC scheme has evolved— from spoofing or hacking the email accounts of C-levels, requesting wire payments to be sent to fraudulent locations, to compromising vendor emails and sending fraudulent requests for large amounts of gift cards.
This aligns with what Proofpoint has observed— attackers have turned supply chain and partner ecosystem into another threat vector to launch indirect attacks toward the target organization. Impersonated and compromised vendors are posing a significant risk to organizations, and most organizations lack visibility into which vendors pose risk. Furthermore, we also see more BEC/EAC variants, including gift card scams, payroll redirect, supplier invoicing fraud, M&A fraud, and shipment redirect. Among various types of scams, supplier fraud often accounts for the largest loss.
Fraudsters Exploit COVID-19
2020 was a year like no other due to the COVID-19 pandemic. The FBI Internet Crime (IC3) Report points out that fraudsters exploited the pandemic to target both businesses and individuals. Proofpoint has also observed the use of coronavirus themes in broad-scale social engineering attacks leading to BEC, credential phishing, malware, and spam email campaigns since the beginning of the pandemic. And over the last few months, Proofpoint researchers observed more attacks leveraging COVID-19 relief, vaccines and variant news. We anticipate attackers will continue to use the virus themes with current events throughout this healthcare crisis.
Phishing Remains a Top Threat
Nearly one-third of the reported complaints were phishing varieties. The number of complaints filed against this type of threat is more than doubled from 2019— 126,640 more complaints were reported. This is clear evidence that attackers are targeting people rather than the vulnerabilities of an organization’s infrastructure. Bad actors continue to prey on human nature, luring or threatening their targets to take desired actions for them.
Ransomware Continues to Rise
According to the FBI Internet Crime IC3 Report, the number of ransomware incidents continued to rise with 2,474 incidents reported and losses of over $29M in 2020. The report calls out email phishing campaigns as one of the most common means of ransomware infection. Interestingly, the report specifically highlights ransomware losses are “artificially low” because the number does not include estimates of lost business, time, wages, files, or equipment, etc. Also, the number does not represent direct reports to FBI field offices. Therefore, this implies that the true number of ransomware incidents and associated losses are much higher.
Among all cybercrimes reported in 2020, BEC/EAC leads the pack in terms of losses, while phishing/vishing/smishing/pharming dominates in the number of victims. Both types of threats are related to email and compromised cloud accounts, rely on social engineering, and most importantly target people.
To combat these human-activated threats, organizations need to take a people-centric security approach. Proofpoint can help you reduce your security risk with an integrated threat protection platform that stops email and cloud threats targeting your people, provides visibility into your people’s risk, and trains your users to be more resilient against today’s advanced threats. To learn more on how Proofpoint can help, please visit here.