Losses Due to BEC Attacks Reach $301 Million Per Month

The Treasury Department released statistics that show a continual increase of business email compromise (BEC) attacks throughout the last two years. The number of reported successful BEC attacks in 2018 is more than double the number in 2016. Losses in operations and breach responses as a result of these scams are soaring.

Business email compromise (BEC) is a form of attack that uses email impersonation. It usually entails the impersonation of a figure of authority like the CEO of the company. Target victims are usually sent spear phishing emails with a link to phishing websites or URLs that download malware capable of stealing email credentials.

The attacker then use the compromised email account to send uniquely crafted emails to persons in the organization who are authorized to wire transfer payments, redirect payments, or alter payroll details. BEC scams have become more advanced and cybercriminal gangs invested a great deal in their activities because of the massive potential returns.

According to the Treasury Department Financial Crimes Enforcement Network report, businesses report 1,100 BEC scams per month on average in 2018. It was only 500 BEC attacks per month on average in 2016.

The BEC attacks more than double while the losses due to BEC attacks nearly tripled. In 2016 , BEC scams led to a loss of $110 million a month. In 2018, losses due to BEC attacks went up to $301 million per month on average.

The Treasury Department report gives a worse snapshot of BEC scams compared to the FBI’s numbers. In April, the Internet Crime Report of FBI showed that BEC attack losses doubled from 2017 to 2018. Yearly losses to BEC scams based on the reports submitted to its Internet Crime Compliant Center had an estimate of $1.2 billion. The report of the Treasury Department suggest that the total yearly losses due to BEC attacks was $3.6 billion, which is three times higher.

The report additionally shows how cybercriminals’ strategies are evolving. In 2016, most of the BEC attacks impersonated the CEO or a high-ranking boss like the CFO. In 2017, only 33% of the attacks impersonated the CEO or a boss. The figures is much smaller In 2018, only 12% of the attacks impersonated the CEO.

In 2018, statistics show that 20% of BEC attacks impersonated an outside entity; 39% of attacks impersonated a business associate or vendor; and 41% of all fake transactions were associated to fake vendor invoices.

The amount of transaction is also going up. When impersonating vendors, the average transaction amount of attacks was $125,439. When impersonating CEO, the average transaction amount was $50,373.

BEC attacks take place on different industry sectors, though attacks seem to focus on the construction and manufacturing sectors. One fourth of all BEC attack reports came from companies in those industries. Attackers also target the real estate industry and healthcare organizations.