BEC Attacks Account for More Than Half of All Losses to Cybercrime

Business email compromise attacks are the most financially damaging form of cybercrime, according to the 2019 Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3). In 2019, IC3 received 467,361 complaints about cybercrime and victims of those crimes reported losses of $3.5 billion. BEC attacks only accounted for 23,775 of those attacks (5.08%), yet they resulted in losses of $1.77 billion – 50.57% of all reported losses to cybercrime.

BEC attacks involve email impersonation of an individual or business, either through spoofing or an actual email account compromise. An email is sent requesting a wire transfer to pay an invoice or changes to payroll are requested. Less frequently, sensitive information such as W-2 (tax) forms is requested. BEC attacks range from simple to highly sophisticated and they can see hundreds of thousands of dollars or even millions sent to scammers. The attacks require little in the way of skill and they are easy to perform, which is a winning combination for cybercriminals.

The most common type of cyberattack is phishing. Phishing most commonly takes place via email, although it is becoming increasingly common for attacks to occur via SMS message (SMiShing), over the telephone (vishing), or via website redirects (pharming). Out of the 467,361 complaints received by IC3, 114,702 (24.54%) were phishing attacks. The third most common type of attack was non-payment/non-delivery scams, which were the subject of 61,832 complaints (13.23%).

Ransomware attacks increased in 2019 after a lull in 2018 and losses to the attacks similarly increased. While these attacks often make the headlines due to the damage caused, only 2,047 complaints about ransomware attacks were received by IC3. Losses to ransomware attacks in 2019 exceeded $8.9 million. Those figures may seem low considering the number of attacks that were reported by the media and 2019 saw ransom demands of hundreds of thousands of dollars issued per attack, but not every company pays, many do not report ransomware attacks to IC3 and, according to IC3, the reported losses “does not include estimates of lost business, time, wages, files, or equipment, or any third party remediation services acquired by a victim.” Also, many attacks are reported to IC3, but losses are not disclosed.

IC3 encourages victims of cybercrime to report incidents, as the reports play a vital role in the FBI’s ability to understand and investigate cybercrime, recover stolen funds, and bring the perpetrators to justice. Out of the 1,307 incidents that were referred to IC3’s Recovery Asset Team in 2019, losses of $384,237,651 were reported and $304,930,696 was recovered – a recovery rate of 79%.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of