Jakub Jirsk - Fotolia

FBI: Business email compromise tops $676 million in losses

Verizon's Data Breach Investigations Report indicates an increase in ransomware while the FBI's Internet Crime Report shows a downward trend, with business email compromise on the rise.

Business email compromise continues to outpace ransomware, according to the criminal complaints detailed in the FBI's Internet Crime Report, released earlier this month.

The FBI's "2017 Internet Crime Report" compiled 301,580 internet-related criminal offenses with reported losses of more than $1.4 billion, based on information provided last year to the bureau's Internet Crime Complaint Center (IC3). Established in May 2000, the IC3 enables victims to use an online reporting mechanism to document complaints regarding internet-related criminal activities. The FBI estimates however that only 15% of victims report cyber fraud to law enforcement.

In 2017, business email compromise and email account compromise represented the highest reported losses at more than $676 million, with 15,690 victims; BEC/EAC ranked 10th in terms of the crimes reported. Confidence and romance fraud, $211 million; and nonpayment or nondelivery of goods and services, $141 million; rounded out the top three in terms of losses. Corporate data breach was ranked seventh with losses of more than $60 million.

While criminal complaints of BEC increased in 2017 from the previous year, ransomware attacks reported to the FBI dropped, despite the global outcry over damaging attacks from NotPetya, WannaCry, Locky and other malware. The FBI received 12,005 BEC and EAC complaints in 2016 representing losses of more than $360 million.

Ransomware accounted for only $2.3 million in losses in 2017, based on 1,783 victims -- business and individual -- who reported these crimes to the FBI.

More victims of ransomware attacks reported the incidents in 2016, with 2,673 complaints for losses of more than $2.4 million.

The downward trend in recent ransomware attacks does not mirror the findings reported in "Verizon's 2018 Data Breach Investigations Report," published in April. The DBIR, which is based on data collected from organizations in 65 countries (53,000 incidents and 2,216 breaches) indicated that ransomware had doubled to 700 incidents in 2017, with more attacks encrypting file servers and databases. The shift toward business-critical systems resulted in higher ransom demands, according to researchers. Ransomware represented 39% of reported malware-related data breaches.

"Within organizations, we did see a substantial rise in ransomware; it doubled year over year again," said Gabriel Bassett, senior information security data scientist and co-author of the Verizon DBIR, who noted that the scope of Verizon's methodology was focused on confirmed incidents and breaches. "Technically for us, ransomware doesn't count as a breach, so if you look at the numbers in the report, it counts as an incident," he added.

Transfer of funds

The computer intrusion techniques used in business email compromise and email account compromise -- which targets individuals who can authorize wire money transfers -- became so similar in 2017, the FBI announced that it had started to track business email compromise and email account compromise as a "single crime type."

A social engineering scam targeting employees in businesses large and small, the goal of BEC/EAC is to trick victims into wiring payments into fraudulent bank accounts, often in Asia. Since 2013, according to the FBI, tactics have evolved from email spoofing of CEOs and CFOs, to compromising email accounts to get vendor contact lists, to urgent email requests from "lawyers" or "law firms" demanding time-sensitive payments.

In 2016, business email compromise moved beyond wire transfer, according to the FBI, and targeted victims who could provide employees' personally identifiable information and W-2 information. Verizon's data pointed to an uptick in these types of attacks in 2017, indicating that bad actors were using a combination of social engineering and pretexting to target individuals in financial and human resources departments.

More BEC/EAC scams targeting participants in real estate transactions were reported to IC3 in 2017. The FBI issued a public service announcement (I-050417-PSA) alert in May 2017, calling business email compromise a "$5 billion-dollar scam" worldwide.

"There is a lot to know in cybersecurity and we each have different data sets available," said Bassett, who advised security teams to study the methodologies of different reports to find what information applies to their organizations. Verizon has several federal partners that contribute to the DBIR, but the FBI is not one of them.

"The best data is your own data," Bassett said. "But barring all that, data that represents the context of your organization is going to be the best, and for us that means sharing data about individual industries and patterns as they apply to industries ... but it should not be taken to imply in any way that we are defining everything; there is lots of good information out there."

Dig Deeper on Threats and vulnerabilities