When it comes to reports from the security industry, one of our yearly favorites is the IC3 Internet Crime Report, which covers all cybercrime reported to the FBI. Each year, the report provides breakdowns on the confirmed losses victims face across the globe. While the crimes are heavily focused in the United States, the FBI receives victim reports across the globe, giving a non-biased, non-inflated periscope into confirmed losses from actual victims.
The best thing about the report is it provides concrete data and evidence directly attributable to victim losses. In 2020, it confirmed the obvious for the fifth year in a row… business email compromise is still responsible for the most losses when compared to other forms of cybercrime. Let’s look at the figures.
As expected, business email compromise (BEC) is the number one cybercrime reported to the FBI, based on reported victim complaints. Coming in at a whopping $1.8 billion in confirmed losses, that’s 37% of the losses of all cybercrime losses, even with ransomware thrown in the mix. And before you even think about muttering “but ransomware cases are under-reported,” we should note that BEC scams can go on for months or even years before being detected.
Making it even worse, let’s not forget that when it comes to tracking BEC, we know that BEC is not the only method of attack for these criminals. Instead, scammers are simultaneously running multiple other scams, including romance scams, advanced fee fraud, spoofing attacks, account takeovers, investment fraud, and non-delivery scams. BEC is simply one flavor of 419 scams that targets corporations and organizations over individuals.
By including the other crimes that BEC actors commit, IC3’s data starts to paint a very different picture. Not only are the top six crimes likely run by the same groups of scammers, but expanding the percentages out means that nearly 70% of all cybercrime losses stem from 419 and BEC scams. Put more simply, the people behind the Nigerian prince scams of the early 2000s have learned how to steal more money than other cyber actors, and the data proves it.
When we start to compare the data against previous years, the magnitude of the problem becomes even more clear. Business email compromise is causing the most damage, year after year, which becomes increasingly obvious when you combine the data from 2018-2020 and compare each type of crime.
When we look at the losses 2018 to 2019 and 2019 to 2020, calculating the difference between these two numbers, it becomes even more obvious how widespread BEC has become. When looking at the graph below, we determined the increase in each type of fraud.
Circles near the right show an increase in fraud from the 2018 to 2019 IC3 report. Circles near the top show an increase in fraud from the 2019 to 2020 IC3 report. Thus, circles in the top right quadrant show an increase for both timeframes. While there are multiple overlapping data points, signifying little increase in losses year over year, it’s clear that BEC is the outlier in this instance.
From 2018 to 2019, BEC, spoofing, and confidence fraud/romance scams saw the highest change in losses when compared to other crimes. From 2019 to 2020, confidence fraud/romance scams saw the largest increase in losses, followed by investment scams, tech support scams and BEC. No matter how you cut the data, BEC takes the cake.
And finally, by graphing the losses as percentages, there’s a clear winner on who has the biggest piece of the cybercrime pie.
That is your so what. For five years in a row, BEC is responsible for the most financial losses reported to the FBI. We have no reason to believe that 2021 will be any different, as scammers continue to innovate new ways to trick your employees into sending them money. Whether its an invoice to a fake vendor, a gift card to a fake employee, or a malicious link that results in an account being hacked, there is little reason to doubt that BEC will remain in the top spot in the coming year.
The question then becomes… what mitigations do you have in place to protect your organization against these obviously-successful BEC attacks? If you’re still looking for the right solution, it’s likely only a matter of time before you’ll be reporting some losses to the FBI for the next IC3 report. If there’s anything we can say, it’s this—don’t delay in protecting your organization against BEC and other types of cybercrime. This massive problem isn’t going anywhere.
Learn how Agari can help protect your inboxes and prevent your employees from becoming the next BEC victim with Agari Phishing Defense.