New FBI Data Shows Business Email Compromise as Your $51 Billion Threat

The FBI Internet Crime Complaint Center (IC3) recently released an updated Public Service Announcement, identifying nearly $51 billion in exposed losses due to business email compromise, or BEC. That’s a hefty price tag that businesses can’t afford to ignore.

This new announcement from June 2023 is an update from the previous estimation of $43 billion, which was announced in May 2022. And that was an update from an announcement in September 2019, which estimated $26 billion in exposed losses since the FBI started tracking BEC in October 2013. While these numbers show exposed losses, defined as actual and attempted losses, BEC attacks have resulted in billions in actual losses as well—including $2.7 billion in 2022 alone. That number was a 47% increase since 2020, showcasing how pertinent this threat really is.

Despite continued PSAs and growing awareness of the problem, the numbers continue to rise year over year—making BEC the biggest threat to organizations of all sizes. And unfortunately, until there is a shift to tools that can identify and stop these email attacks, we can expect that the next PSA will show an even greater number—whether it comes in 2024 or beyond.

BEC, also known as EAC or email account compromise when reported on by the FBI, is a sophisticated scam where attackers gain unauthorized access to a company's email system and send emails to a target in an attempt to encourage them to transfer funds or reveal sensitive information. Sometimes this is accomplished through social engineering tactics that trick employees into thinking they are communicating with a legitimate contact, either by using a lookalike domain or a known display name.

Business email compromise is a popular cyberattack because it is relatively easy to complete, the rewards are substantial, and the risks for attackers are minimal. Since companies enjoy more purchasing power and house more data than individuals, businesses are a hot target for cybercrooks—and the proliferation of generative AI is only going to increase these scams.

The process for a BEC attack often goes like this:

1. The attacker researches and chooses their target. By exploring public information about the company’s structure and leadership team, often via corporate websites or LinkedIn, attackers select their targets. This includes the organization itself as well as the employees inside the company.

2. The attacker spoofs an email. The attacker creates a fake email address to impersonate an executive or team member. In some cases, cybercriminals have already compromised a real email address that they use to launch their attacks. Because those email accounts are legitimate, they are especially difficult to detect when they are used for malicious purposes.

3. The attacker makes contact, establishes trust, and makes an urgent request. The most successful cyberattacks play on human psychology. Attackers abuse the human tendency to obey authority and leverage urgency to overcome people’s natural suspicions. When employees think that these messages are coming from a trusted coworker or boss needing quick help, victims are more likely to fall for the request.

4. The attacker manipulates victims into sharing sensitive information or transferring funds. Attackers desire your data and your money; two of your most precious assets. By relying on text-based attacks, they can bypass security systems and reach end users, who can be socially engineered to complete the request.

5. The attacker uses stolen information or credentials to deepen and widen their attacks. Attackers won’t stop just because they’ve succeeded. They’ll likely burrow deeper into your organization using this stolen information to target more employees, customers, or vendors. The fallout of these onslaughts can be devastating.

BEC attacks are well suited for circumventing traditional, rules-based email security. These messages often appear as genuine emails with no obvious signs of malicious intent. Traditional security platforms might flag suspicious links or attachments, but BEC focuses on manipulating human behavior—often using text-only emails. And while security awareness training is vital to ensuring employees are aware of the risk, organizations should not make employees the only line of defense against BEC attacks. After all, it’s impossible for employees to become the next victim if they never have the opportunity to engage with an attacker.

While attackers target everyone from small businesses to large corporations, the FBI IC3 identified real estate as a top target for BEC attacks in the latest PSA. In 2015, there were reported 194 attacks on the industry—resulting in $8.8 million in losses. In 2022, the number of attacks jumped to 2,284 reported attacks totaling $446.1 million in losses, as shown in the IC3 chart here.

Real estate BEC scams target all transaction participants including buyers, sellers, attorneys, title companies, and agents. Once the attacker gains access to a participant’s email account, they can monitor proceedings and time their requests for financial transactions. Since these parties expect to transfer money, attacks can be especially convincing—making it vital that all types of organizations (and individuals) connected to buying and selling property secure their email against these attacks.

Unfortunately, business email compromise is fairly industry-agnostic, with attackers willing (and able) to target organizations of all types. Whether you’re a small non-profit organization or a huge F1000 company, threat actors are looking at your email as the easiest way to steal your money and your data.

The IC3 lists the following steps for combatting BEC attacks:

1. Enable multi-factor authentication (MFA) for verifying changes in account information.

2. Ensure URLs in emails are associated with the business or individual it claims to be from.

3. Inspect hyperlinks for misspellings of the domain name.

4. Avoid sharing personal information or login credentials via email, no matter the circumstances.

5. Ensure the email address used to send emails is legitimate, especially when using mobile devices.

6. Enable employee computers to see full email extensions.

7. Regularly monitor your financial accounts for irregularities.

These are good tips. But many of these steps put the onus on recipients to flag malicious emails. With the risk of BEC on the rise, organizations must go beyond traditional email security and stop these attacks before they ever reach users.

It’s much better to proactively combat bad emails with a robust email security solution like Abnormal, which detects anomalous activity (even from compromised accounts) to block malicious attacks. Our AI-powered solution creates a baseline of normal behavior and uses that baseline to determine anomalous activity that could indicate an attack. By doing so, Abnormal detects, quarantines, and remediates malicious emails that bypass traditional solutions—making it a vital part of the fight against BEC.

If an employee at your organization has already fallen for a BEC scam, responding quickly is the best action. Start by contacting your financial institution to stop payments or recall funds. While each financial institution has its own policies in place to recover funds, it’s safe to assume that you will need to provide the necessary indemnification documents to complete this step.

The FBI also recommends that victims file a complaint with the IC3. Providing the FBI with this information they need assists law enforcement in possible recovery efforts and helps the organization track threat trends over time.

Of course, nobody wants to fall victim to cybercrooks. Defend your business with Abnormal to avoid becoming another statistic.

Discover more about the latest BEC attacks by viewing our Attack Library on Abnormal Intelligence.