FBI’S 2018 Internet Crime Report Shows Massive Increase in BEC Attack Losses

The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) has released its 2018 Internet Crime Report which shows there was a dramatic rise in losses due to cybercrime in 2018.

In 2018, IC3 received 351,936 complaints involving more than $2.7 billion in losses. That represents an increase in losses of more than 92% compared to 2017. 2018 accounted for 36% of all losses from the past five years and complaints about cybercrime are now being received at a rate of around 900 per day.

Business Email Compromise (BEC) attacks are the leading cause of financial losses due to cybercrime and the problem is getting worse. BEC attacks involve the impersonation of an individual or company or use of a compromised email address. Scammer usually request the fraudulent transfer of funds or the disclosure of sensitive information such as W-2 forms. Losses to BEC attacks were almost twice as high as in 2017. In 2017, $675 million was lost to BEC scams. In 2018, the figure increased to $1.2 billion.

Email security solutions are getting better at blocking email spoofing, but they are not effective at blocking messages that have been sent from a compromised account within an organization. Access to the accounts of executives is usually gained through spear phishing attacks using social engineering techniques to obtain login credentials. The accounts are then used to send fraudulent wire transfer requests to the accounts department. The same tactics are used to gain access to the email accounts of vendors, lawyers, and other business contacts with the aim of obtaining large wire transfers.

There was also a notable rise in gift card BEC scams in 2018, where employees are requested to purchase and send gift cards rather than make wire transfers. The reason for the requests can be business related or personal. Employees often respond as the requests come from an authority figure within the organization.

The second biggest cause of losses were confidence fraud and romance scams, which resulted in losses of more than $362 million. The scammers build trust with an individual and then request the victim sends money as a loan or tricks them into disclosing their financial credentials. Investment fraud was in third place with losses of $252 million.

Tech support scams also increased considerably in 2018. Losses were 161% higher than 2017. In total, 14,408 complaints were received and $39 million was lost to the scams. Tech support scam victims are typically over the age of 60.

Payroll diversion was also a major cause of losses. Payroll departments are targeted using phishing emails and employees are instructed to change bank credentials so that salaries routed to criminals’ accounts. While only 100 complaints were received about payroll fraud, the losses were around $100 million.

In terms of volume of complaints, non-payment/non-delivery scams topped the list with 65,116 complaints, followed by extortion attempts with 51,146 complaints, and personal data breaches with 50,642 complaints.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news