Email Security Blog

Damages from Business Email Compromise (BEC) Top the 2019 FBI IC3 List

Ronnie Tokazowski February 19, 2020 BEC, Business Email Compromise

Business Email Compromise (BEC) was solely responsible for over 40% of the total cybercrime losses in 2019, at least according to the latest FBI IC3 report.

The FBI’s Internet Crime Complaint Center (IC3) has released its latest Internet Crime Report with data on cybercrime impact in 2019. Corporate data breaches, which lead to leaked databases, documents, and bad press coverage for the company, are some of the scariest times an organization can face. While this can be embarrassing, data breaches aren’t causing the most damage, as they rank at #24 by victim count. When we look at the confirmed losses reported to the FBI, what’s really causing the most damage to organizations?

Two other threats, malware / scareware and ransomware rank #22 and #23 on our list of confirmed victims. By volume, attacks involving spoofing and BEC come in at #5 and #6 on the list, with BEC having 13 times more victims than reported corporate data breaches.

Looking at the metrics, is some super sophisticated APT from China or North Korea causing the most damage, or is a “simpler” threat causing more of a problem? With all the hype around the technological sophistication of cybercriminals, you might be surprised that crimes committed by BEC actors are responsible for over 70% of ALL cyber crime reported to IC3. And that’s just the tip of the iceberg.

Many security vendors tout their solutions as a way to mitigate malware, scareware, viruses, and ransomware, all trying to prevent corporate data breaches. Accepting all vendor claims and assuming that the volume is somewhat representative of the attacks that happen, you would have successfully mitigated 26% of the attacks against your organization by acquiring these solutions.

Looking at the actual losses tied to cyber incidents paints a much worse picture. Corporate data breaches move up the list to #17, with BEC ranking in as the #1 threat by reported losses, causing over 33x the financial damages of corporate data breaches. Let that sink in for a while.

Incident responders typically use the cost per incident as a rationale for focusing on malware attacks and data breaches; however, that calculation is becoming quite dated, based on the actual data of confirmed victim losses. The average cost per BEC incident is $74,723.44, with the average cost of each corporate data breach being $29,748.34. Sure, maybe not all corporate data breaches make the news, but likewise a lot of BEC attacks don’t, either. And, while we’re at it, the average romance scam victim loses an average of $24,393.47 per incident, who are frequently recruited as money mules for BEC actors.

By graphing the confirmed losses, we can start to see where our efforts should be focused in order to protect our organizations against the ever-changing threat landscape.

Based on our research into BEC gangs such as Scattered Canary, we know that BEC overlaps with other types of cyber crime, including romance scams, investment fraud, check fraud, and real estate scams, just to name a few. By highlighting the other crimes typically committed by BEC actors, it really starts to put into perspective where the most significant problems actually exist.

By comparing fraud committed by BEC actors to corporate data breaches and malware, it becomes clear that focusing on BEC and other spoofing attacks makes the most sense, because this actually represents a much higher loss — about 64 times as much!

Look, I’m not saying that we have to completely do away with hunting APT threats because they’re still just that…threats. But when BEC related crimes account for over 64x the actual damages of corporate data breaches, maybe it’s time for your CISO to say “Oh hey, maybe we should implement DMARC.”

Back to the basics checklist:

  • Is DMARC enabled and configured correctly?
  • Are you regularly patching systems?
  • Do you have systems in place to detect phishing and BEC?
  • Are you performing regular employee phishing simulation and training?
  • Is the SOC team equipped with tools to rapidly remediate threats that activate post-delivery?
  • Have business and especially payment processes been hardened against fraud?
  • Have HR and payroll processes been hardened against W2 and payroll diversion?
  • Have processes for handling sensitive and confidential information been hardened against fraud?
  • Is 2FA enabled for corporate accounts to prevent ATO attacks?
  • If there is a breach, is logging on the endpoints enabled?

If you can answer yes to all of the above, you’ve potentially addressed the 80% problem now leaving you free to focus on the remaining 20%.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

July 7, 2020 Crane Hassold

Cosmic Lynx: A Russian Threat Hits the BEC Scene

“At some point, Russian and Eastern European cybercriminals are going to start thinking to themselves,…

Agari Blog Image

June 30, 2020 Michael Paiko

Agari Summer '20 Release: CISOs Gain Unique Threat Intel to Their Organizations

With business email compromise (BEC) scams up sharply amid the coronavirus pandemic, CISOs have been…

Agari Blog Image

June 22, 2020 Michael Paiko

Forrester: Agari Phishing Defense™ Works a 97% ROI Over Three Years

A new Total Economic Impact (TEI) Study from Forrester finds that Agari Phishing Defense™ (APD)…

Agari Blog Image

May 29, 2020 Ronnie Tokazowski

Business Email Compromise (BEC): W2 Scams Make an Unexpected Comeback in 2020

After barely registering a pulse last year, W2-based business email compromise (BEC) scams are back…

Agari Blog Image

May 19, 2020 Crane Hassold

Scattered Canary Cybercrime Ring Exploits the COVID-19 Pandemic with Fraudulent Unemployment and CARES Act Claims

Recently, news broke about how a sophisticated Nigerian cybercriminal organization has been committing mass unemployment…

mobile image