Business email compromise (BEC) attacks cost organizations an estimated $1.77 billion in losses in 2019, reports the FBI, which received a total of 23,775 complaints related to this threat.
The FBI's Internet Crime Complaint Center (IC3) this week released its "2019 Internet Crime Report," which digs into cybercrime trends throughout the year. In 2019 the IC3 received 467,361 complaints, which cost organizations $3.5 billion overall – up from $2.7 billion in 2018.
The most frequently reported complaints relate to phishing and similar attacks, non-payment/non-delivery scams, and extortion, officials say. But the most expensive complaints are related to BEC, romance or confidence fraud, or copying the account of a person or vendor to collect personal or financial data about a victim familiar with them, according to the report.
BEC attacks, also known as email account compromise (EAC), are constantly evolving as adversaries become more sophisticated. Back in 2013, scams often started with the spoofing of a CEO's or CFO's email account. Fraudsters sent emails appearing to come from these execs to convince employees to send wire transfers to fake accounts.
Since then, BEC has evolved to include the compromise of personal and vendor emails, spoofed lawyer email accounts, and requests for W-2 data. Attackers often target the real-estate sector and/or make requests for expensive gift cards. In 2019 IC3 saw an increase in BEC complaints related to the diversion of payroll sums: Attackers send a fake email to a human resources or payroll department requesting an update to a specific employee's direct deposit information.
Gift card attacks are especially popular toward year's end. In the fourth quarter of 2019, they made up 62% of all BEC attacks, Agari researchers point out in its Q1 2020 "Email Fraud and Identity Deception Trends" report, published today. The weeks leading up to the holidays are prime for gift card fraud because attackers can target any department, not just HR or payroll. In the last three months of 2019, gift cards requested in BEC scams averaged more than $1,600, according to AGari.
"The attackers are looking for new sources of revenue from people," says Erich Kron, security awareness analyst at KnowBe4. "For example, instead of just going after wire transfers, something that people are becoming aware of, they have changed to redirecting paychecks to different accounts or getting people to purchase a large number of gift cards, then having them send the card numbers and information under the guise of an executive rewarding employees or thanking vendors."
Kron also points to a rise in hybrid attacks in which a victim receives an email making a request and simultaneously receives a text message from a spoofed number designed to seem like the same person, saying they sent an email. It's a highly targeted but effective technique, he says, and it's less commonly known than wire transfers. Victims trust the second request source.
Agari also noticed a rise in impersonation attacks. Phishing and BEC attacks impersonating specific people reached 32% between October and December 2019, up from 12% in the second quarter. Now these threats are around the same level as brand impersonation (36%).
Other Forms of Cybercrime to Watch
The IC3 reports cases of "elder fraud," or financial schemes that target or disproportionately affect people over 60, are increasingly common. They may be the victims of investment fraud, romance scams, tech support scams, or government impersonation fraud. In 2019 the IC3 received 68,013 complaints from elderly victims, with adjusted losses exceeding $835 million.
Tech support scams, in which a criminal poses as a technical pro to defraud victims, are a growing problem on their own. The IC3 received 13,633 complaints related to tech support fraud in 2019 from victims across 48 countries, with losses amounting to more than $54 million.
Then there is ransomware, another type of cyberattack undergoing evolution as attackers grow increasingly sophisticated. In 2019 the IC3 received 2,047 complaints identified as ransomware, with adjusted losses of more than $8.9 million. It urges victims to not pay ransom to attackers.
A variety of new techniques are helping attackers bypass security tools and launch successful ransomware campaigns, says Tal Zamir, founder and CTO at Hysolate. They target non-email applications like Slack, WhatsApp, and Teams, as well as existing vulnerabilities in antivirus products. Attackers are also known to build fileless malware designed to slip past endpoint security agents. User devices have a huge code base for attackers to target, including the operating system code and middleware.
"Losses will continue to increase as ransomware becomes more sophisticated and can cause greater harm," says Zamir. "If in the past ransomware was limited to encrypting local files and demanding a ransom for decrypting, next-generation ransomware might automatically leak some of the data to show the potential damage or even go further and encrypt or leak data in cloud systems that aren't available locally on the endpoint."
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "From 1s & 0s to Wobbly Lines: The Radio Frequency (RF) Security Starter Guide"