Unlucky #7: FBI Data Shows BEC Is the Top Cyber Threat for Seventh Year in a Row

It’s IC3 Report week! In what has become an annual holiday for anyone that’s heavily involved in researching business email compromise (BEC) attacks, the FBI released its 2021 Internet Crime Report that details trends in various types of cybercrime activity over the past year.

Why do BEC researchers love it? Because it’s one of the few reports that compares the overall impact of BEC to other types of threats that usually get more attention, like ransomware. And when you’re looking at the ever-growing cyber threat landscape, this report is invaluable to understanding how trends are moving, and what we can expect in the coming year.

Spoiler alert: BEC was the most financially-devastating cyber threat in 2021. Again!

For the seventh year in a row, BEC attacks were the leading cause of financial losses. Almost $2.4 billion was lost from BEC attacks last year—an increase of more than half a billion dollars (+28%) compared to 2020.

The impact of these losses is underscored by the fact that the number is 65% higher than the second-most impactful crime type, investment fraud, which saw a seven-fold increase in 2021. This increase seems to be linked to a rise in cryptocurrency investment scams, with cybercriminals exploiting the growing popularity of digital currencies.

While that overall loss figure is staggering, one of the most notable statistics is that 35% of all cybercrime losses were attributed to BEC attacks in 2021. This really shows how much BEC activity drives the overall cybercrime threat landscape. In other words, one out of every three dollars lost to cyber attacks can be attributed to a business email compromise attack!

Even more interesting, we know that the threat actors responsible for most BEC attacks are the same actors behind other scams. Many of these cybercriminals are based in West Africa, and unfortunately for their victims, they aren’t just running BEC scams in a vacuum.

At the same time they’re launching BEC attacks, they also may be involved in other types of crime that also paid out big money in 2021. Examples include romance scams ($956 million), real estate and rental scams ($350 million), non-payment and non-delivery scams ($337 million), advanced fee fraud ($98 million), lottery and inheritance scams ($71 million), employment scams ($47 million), and overpayment scams ($33 million), and perhaps others. When taken together, a similar population of actors is primarily responsible for at least $4.2 billion in overall losses—or 61% of all cybercrime losses.

To conclude the trifecta of badness the IC3 report gave us around BEC, the average amount lost per BEC attack also increased considerably last year—growing 25% from $97,000 per attack in 2020 to $120,000 in 2021. One of the main reasons for this is due to a classification of BEC attacks we call financial supply chain compromise. These attacks include things like:

• Vendor Email Compromise (VEC): A two-stage attack that first compromises the email account of an employee at a vendor or supplier, then uses intelligence from the compromised account to target a vendor’s customer in order to redirect funds from a legitimate payment to an illicit account.

• Vendor Spoofing Attacks: An attack that impersonates a supposed vendor and requests an unspecified payment for a supposedly overdue invoice, sent to a new bank account.

• Aging Report Attacks: An attack, usually impersonating a company executive, asking for a copy of a recent aging report, which contains outstanding payment and contact information of a company’s customers. Once the threat actor receives the report, he can run additional supply chain scams using the compromised information

As we discussed in our recent H1 2022 Email Threat Report, the average amount requested in financial supply chain compromise attacks is $183,000, which is two to three times higher than traditional executive impersonation BEC attacks requesting a wire transfer to a fake “vendor.” The continued increased frequency of financial supply chain attacks, combined with the higher financial impact of these attacks, is why we’re continuing to see a rise in the average loss per BEC incident.

A lot of attention was given to ransomware in 2021 as a result of some disruptive, high-profile attacks like the ones against Colonial Pipeline and JBS. So one of the biggest surprises in this year’s IC3 report was the relatively moderate increase in the overall financial impact of ransomware attacks over the last year.

The ransomware victim data we collected over the past two years showed that the number of victims doubled globally between 2020 and 2021, and the influence of cryptocurrency drove up the average ransom amounts. As a result, we were expecting the overall financial impact of ransomware to come in around $100 million for the year.

Data from the FBI, however, shows that losses linked to ransomware attacks were actually half of that. In 2021, just $49 million was lost as a result of ransomware attacks, putting it 18th on the list of most impactful attacks measured by IC3.

Granted, this figure only includes direct losses and doesn’t include the indirect impact of ransomware, such as remediation costs or lost revenue during an attack, but the same can be said for other enterprise-focused attacks measured by IC3. For example, business email compromise also requires post-incident remediation costs to recover from an incident. Even if indirect costs increased the financial impact of ransomware by a factor of 10, it would still be almost five times less impactful than BEC, which, using the base figures, causes more than 48 times the financial damage than ransomware.

Looking at the amount lost in ransomware attacks shows the same picture. On average, a ransomware attack causes about $13,000 in direct damage. This is nine times less than the average loss in a BEC incident and behind other types of cybercrime activity like data breaches, romance scams, rental scams, and tech support scams.

So does this mean we don’t have to worry about ransomware anymore? Of course not. Based on our research, we know that ransomware attacks are impacting organizations all over the world, regardless of their size or industry. And when a ransomware attack is successful, as we’ve seen multiple times over the past year, it can have a devastating impact that can leave ripple effects throughout supply chains.

The biggest takeaway from this year’s IC3 report is that, just as we’ve seen over the past six years, cybercriminals are consistently using less technically-sophisticated tactics to make money. While there’s a common perception that cyber attacks are generally technically savvy, the reality is that relatively basic social engineering attacks like business email compromise are the cause of most of the cybercrime losses businesses face every day.

The truth of the matter is that threat actors are turning away from high-volume, low-impact attacks like phishing to more targeted, high-value attacks like business email compromise and supply chain fraud. And because these attacks are typically text-based, without suspicious links or malicious attachments, they bypass traditional security measures like secure email gateways, which look for those traditional indicators of compromise.

To better protect your organization from these attacks, particularly these high-value attacks that cost an average of $120,000+ per incident, you must invest in a new type of technology. Abnormal Security protects organizations worldwide from these attacks that matter most using behavioral data science to understand identity, context, and content. With this fundamentally-different approach to email security, you can ensure that your organization is protected from the full extent of attacks, including these high-value attacks that others miss.