Business Email Compromise Attacks Cost $310 Million a Month in 2018

New figures have been released by the U.S. Financial Crimes Enforcement Network (FinCEN) on 2018 Business Email Compromise attacks. The latest FinCEN report highlighted the pervasiveness of the threat and potential for the attacks to result in serious financial harm.

Business Email Compromise (BEC) attacks are concerned with gaining access to a business email account and using that account to send messages to other individuals in an organization and business contacts. While compromised email accounts can be used for a variety of purposes, with BEC the primary goal is usually to convince an employee to make a fraudulent wire transfer or send sensitive information such as employee W-2 Forms.

Social engineering techniques are used to obtain the credentials of a high-level executive and convince an employee to make a fraudulent transfer. While at face value these scams are simplistic – they involve sending an email that requests a bank transfer be made – the scams are often highly sophisticated.

More than $300 Million a Month Was Lost to 2018 Business Email Compromise Attacks

The FinCEN report shows why these attacks are worth the effort. The average fraudulent transaction value in 2018 was $125,439 and $310 million per month was lost to BEC scams in 2018.

FinCEN received approximately 1,100 suspicious activity reports in 2018 that were attributed to BEC scams. It should be taken into consideration that many businesses are not obliged to report security breaches such as BEC scams, so the total losses will be considerably higher.

BEC attacks are also being conducted far more frequently and losses to the scams have skyrocketed. The 2016 FinCEN report indicates at least $110 million was lost to BEC scams. Losses to BEC scams have increased by 172% increase in just two years.

There has been a marked change in BEC scam tactics over the last two years, which has helped to increase the dollar amount of each fraudulent transaction.

As previously mentioned, the scams involve compromising an email account, which was commonly the email account of the CEO or CFO. The email accounts were used to send wire transfer requests and the average transaction value was $50,272. The 2018 figures show that there has been a shift from attacks that impersonate the CEO to attacks impersonating contractors and other vendors.

If a vendor’s email account is compromised, fake invoices can be sent to all companies that the vendor works for. Further, the typical amount of a vendor invoice is substantially higher than the transfer amounts typically requested by CEOs.

FinCEN’s figures show the average fake invoice transaction value was $125,439 for fake invoices from contractors, which is $75,167 more than the typical CEO email request.

FinCEN’s 2017 figures indicate 33% of BEC attacks involved impersonation of the CEO, but the percentage had fallen to just 12% in 2018. 39% of all BEC attacks in 2018 involved the impersonation of an outside entity such as a business associate, contractor, or vendor.

How to Improve Defenses Against BEC Attacks

With attacks increasing and losses spiraling, businesses need to take steps to reduce risk by improving email security and providing further training to employees. Employees should be made aware of the risk of BEC attacks, told about the latest threats, and should be taught how to identify a scam email. Policies should also be developed and implemented which require verification of all emailed transfer requests and bank account changes.

Training and policies will help to create a strong last line of defense, but the primary goal should be blocking the scam emails at the email gateway to ensure end users are not tested. That requires a powerful anti-spam and anti-phishing solution such as SpamTitan. SpamTitan blocks more than 99.97% of all spam and malicious emails to keep business inboxes threat free.

For further information on SpamTitan and other cybersecurity protections to reduce the risk of phishing and BEC attacks, contact TitanHQ today.