BEC Scams Cost US Firms $300m Each Month
Business Email Compromise (BEC) scams have rocketed in volume and value over the past two years, making cyber-criminals over $300m each month in 2018 from US victims alone, according to new data.
The findings were revealed by the Financial Crimes Enforcement Network (FinCEN), a bureau of the US Department of the Treasury.
They note that the number of BEC reports has climbed rapidly, from around 500 per month in 2016 to more than 1100 last year. The total value of related BEC thefts has also soared over the same period, from around $110m per month to an average of $301m.
Manufacturing and construction was the most targeted sector in 2017 and 2018, accounting for around a fifth and quarter of reports in these respective years.
In 2018, this sector was followed by “commercial services” – which includes shopping centers, entertainment facilities, and lodging – and then real estate.
The former saw reported BEC attacks increase more than any other vertical, tripling from 6% in 2017 to 18% last year.
Interestingly, the vast majority (73%) of BEC attacks seen over the period involved scammers receiving funds into US accounts, rather than ones overseas, taking advantage of money mule networks nationwide, FinCEN claimed.
“Industries that are common in a particular state likely represent the most targeted companies in that state,” it added. “For example, financial firms are the most frequently targeted firms in New York, while manufacturing and construction firms are the most frequently targeted in Texas.”
In terms of attack methodology, CEO impersonation ranked pretty high in 2017, accounting for a third (33%) of scams, but declined to 12% in 2018. On the other hand, use of a fraudulent vendor or client invoices grew from 30% to 39% over the period. Impersonation of an outside entity was 20% in 2018 but not documented in 2017.
The FBI warned earlier this year that BEC losses hit $1.3bn in 2018, almost half of all losses associated with cybercrime in the year. These were linked to just 20,000 victims, highlighting the potential high ROI for the scammers.
The figure works out much lower than the cost of BEC calculated by FinCEN, but this could be down to under-reporting.
Source: Information Security Magazine