BEC and phishing are still a trend, says FBI report

Updated at: Feb 13, 2020
By Gatefy

BEC and phishing are still a trend, says FBI report

The FBI released the 2019 Internet Crime Report, and phishing and BEC scams remain a trend. According to the report, the total number of cases and losses due to cyber crimes broke a record last year compared to previous years. Overall, the FBI reported about 1,300 complaints per day in 2019, resulting in 467,361 cases reported during the year. Losses exceed USD 3.5 billion.

For comparison, in 2018, there were 351,936 complaints with losses estimated at USD 2.7 billion. In 2017, 301,580 cases were reported, with losses of USD 1.4 billion.

These are high and worrying numbers if we analyze that, in the period of one year, from 2018 to 2019, the increase in the volume of losses totals about USD 800 million, while the number of cases was surpassed by 100,000 complaints.

“The most prevalent crime types reported were phishing, non-payment/non-delivery, extortion, and personal data breach. The top three crime types with the highest reported losses were BEC, confidence/romance fraud, and spoofing”, says the report.

2019 Internet Crime Report key points

1. Business Email Compromise (BEC) causes more losses

According to the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) are a type of sophisticated attack aimed at companies and people who carry out wire transfers. The scam usually happens when a hacker compromises corporate email accounts with the aim of making unauthorized transfers of funds. For this, he uses intrusion techniques and social engineering.

In 2019, BEC/EAC scams continue to be the most damaging ones, causing losses of USD 1.7 billion. A total of 23,775 cases were reported. Taking a look at the numbers, it’s a small volume of cases for such a huge loss. In other words, BEC/EAC is a very lucrative type of scam that has been increasingly used by cybercriminals. In addition, it’s important to note that the BEC/EAC attacks accounted for almost half of the cyber crime losses in 2019.

In 2018, the losses caused by this type of threat had reached USD 1.2 billion.

“BEC/EAC is constantly evolving as scammers become more sophisticated. In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Over the years, the scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards”, says the report.

2. Phishing is the scam with the most cases

The phishing scam happens when a criminal tries to impersonate someone or a brand to steal confidential data from companies or people. It’s a type of cyber crime that usually happens by email and can be identified, for example, by dubious and urgent requests.

An interesting fact to note in the FBI report is that there has been a huge increase in the number of complaints involving phishing. In 2019, 114,702 cases were reported. In 2018, there were only 26,379 complaints. In terms of victim count, phishing moved out of fifth place to take the top spot.

3. Spoofing cases are increasing

First, let's see the FBI's definition of spoofing: “Contact information (phone number, email, and website) is deliberately falsified to mislead and appear to be from a legitimate source. For example, spoofed phone numbers making mass robo-calls; spoofed emails sending mass spam; forged websites used to mislead and gather personal information. Spoofing is often used in connection with other crime types”.

Spoofing cases increased considerably in 2019, both in the number of victims and the volume of losses. In 2018, for example, spoofing wasn't on the list of the top five types of crime. But, in 2019, it appears as third-placed in losses, with USD 300 million, and as fifth-placed in the number of cases, with 25,789 complaints.

4. Ransomware attacks and tech support fraud are also worrisome

The FBI also highlights cases of ransomware attacks and technical support fraud in its report.

In ransomware cases, in 2019, 2,407 complaints were reported with losses of more than USD 8.9 million. Ransomware is a type of malware that encrypts machine's files or blocks their entire systems. The report cites Remote Desktop Protocol (RDP) and spear phishing attacks as vectors of ransomware.

“The FBI advises not to pay the ransom to the adversary. Paying a ransom does not guarantee an organization will regain access to its data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Paying a ransom emboldens the adversary to target other organizations for profit, and provides a lucrative environment for other criminals”, points out the report.

In the case of tech support fraud, last year, the agency received 13,633 complaints with losses amounted to over USD 54 million. Tech support fraud happens when a scammer tricks people with a fake technical service.

The top five crime types

By victim count

Phishing – 114,702
Non-payment/non-delivery – 61,832
Extortion – 43,101
Personal data breach – 38,218
Spoofing – 25,789

By victim loss

BEC/EAC - USD 1,776,549,688
Confidence fraud/romance - USD 475,014,032
Spoofing – USD 300,478,433
Investment - USD 222,186,195
Real estate/rental - USD 221,365,911

2019 Internet Crime Report

If you would like to check out the full report, click here.