Ride the Lightning

FBI: BEC Scams Accounted for 50% of the Reported 2019 Cyber Losses

February 19, 2020

According to a February 11 post by ZDNet, the FBI received 467,361 internet and cyber-crime complaints in 2019, which the agency estimates have caused losses of more than $3.5 billion, the bureau wrote in its yearly internet crime report.

The FBI said that almost half of the reported losses — an estimated $1.77 billion — came from reports of BEC (Business Email Compromise), also known as EAC (Email Account Compromise) crimes.

BEC/EAC is a sophisticated scam targeting businesses and individuals performing wire transfer payments.

A typical BEC scam happens after hackers either compromise or spoof an email account for a legitimate person/company. They use this email account to send fake invoices or business contractors. These are sent to employees in the same company, or upstream/downstream business partners. The idea is to trick counterparts into wiring money into the wrong bank accounts.

BEC scams are popular because they're simple to execute and don't require advanced coding skills or complex malware.

According to the FBI's 2019 Internet Crime Report, BEC scams were, by a considerable margin, the most damaging and effective type of cyber-crime last year in 2019. The 23,775 BEC victims accounted for $1.77 billion in losses for victims, which is on average $75,000/complaint.

"In 2019, the IC3 observed an increase in the number of BEC/EAC complaints related to the diversion of payroll funds," the FBI said. "In this type of scheme, a company's human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a pre-paid card account."

Another point of interest in the FBI's internet crime report for 2019 was ransomware. Last year, we saw a decrease in the number of complaints and a rise in the amount of losses caused by ransomware incidents.

This year, losses continued to increase, but the number of ransomware incidents spiked right back up. All in all, the report's findings are surprising.

According to reports from Armor and Emsisoft, ransomware crews targeted US entities last year. Emsisoft reported that ransomware hit in 2019:

• 113 state and municipal governments and agencies.
• 764 healthcare providers.
• 89 universities, colleges and school districts, with operations at up to 1,233 individual schools potentially

2018 was a down year for ransomware gangs as there was a general shift in tactics from mass-email distribution to individual attacks targeted at a very few, but very high-profile targets. And the ransoms were higher.

No one is expecting any diminution in these crimes in 2019!

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson