$1.77 Billion in Losses Due to Business Email Compromise Attacks

The 2019 Internet Crime Report of the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) was just presented. It shows that cybercrime losses in 2019 exceeded $3.5 billion. IC3 received about 1,300 per day or 467,361 internet and cybercrime complaints.

Over half of the losses were because of business email compromise (BEC) attacks, also called email account compromise (EAC). These attacks involve the impersonation of a respectable individual or company to get cash funds through email.

These advanced ripoffs frequently begin with a phishing attack on an officer to get email account credentials. The attacker then uses the email account to send a message a wire transfer from a person in the organization with access to the firm’s bank accounts. At times, the attacker skips this step and just spoof a person’s email account.

Although BEC attacks generally entail wire transfer requests, the attacks on human resources and payroll sections to redirect the employee payroll funds to the attacker’s pre-paid card accounts increased in 2019. The possible income from such an attack is less than a wire transfer request, however, adjustments to payroll are less likely to be inhibited and the attacks have a greater likelihood of success.

BEC/EAC attacks are well-liked with cybercriminals because they involve little skill, are simple to implement, and the probable profits from a successful attack are substantial. The typical wire transfer payments are in the amounts of tens or hundreds of thousands of dollars. Considering the 467,361 complaints received, BEC/EAC attacks were only 6.47% (23,775), still, the losses due to those attacks were $1.77 billion. These cyberattacks are considered as the most financially damaging type of cyberattack with an average resulting loss of $75,000 in 2019.

BEC attacks could contribute to the largest losses, however, phishing attacks are far more numerous. 2019 saw 114,702 phishing attacks reported to IC3. Phishing attacks – which include vishing (voice), pharming (website redirects) and smishing (SMS) – ended in $57,836,379 losses with an average loss of $504. Email remains the most prevalent form of phishing, however, SMS- and voice-based phishing attacks have gone up.

Ransomware attacks definitely were in the headlines in 2019 with many reported attacks on corporations, government agencies, healthcare organizations, cities, and municipalities. Several of those attacks saw ransomware demands released more than $500,000. In spite of this, the losses due to those attacks were fairly small, just $8,965,847 in ransom payments for 2,047 attacks, with an average of $4,400. In 2018, IC3 statistics indicate a drop in ransomware attacks and an increase in losses. In 2019, the number of ransomware attacks has gone up by more than 37%, while losses increased by 147.5%.

Take note that the actual losses because of ransomware attacks are substantially greater as the IC3 statistics do not count downtime, remediation costs, and lost business. Also, many victims of ransomware attacks quietly paid the ransom and do not report the attacks to IC3.

In the report, IC3 stressed the significance of reporting cyberattacks and how quick reporting can help law enforcement stop fraudulent transactions and track the perpetrators of an attack.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA