The FBI’s Internet Crime Complaint Center (IC3) recently released its report of 2019 data. The report includes 2019 “hot topics” including business email compromise (BEC), ransomware, elder fraud, and tech support fraud. In this blog post, we will focus on the BEC data that the IC3 has reported on since 2014 when this category was first formally introduced and reported.
What is BEC?
Business Email Compromise (BEC) is a sophisticated scam that is frequently carried out when an attacker compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
BEC is constantly evolving. Originally the scams began with the hacking or spoofing of the email accounts of CEOs or CFOs, and fraudulent emails were sent requesting wire payments be sent to fraudulent accounts. Over the years, the scam evolved to include personal emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards.
How big is the BEC problem?
IC3 reports on many categories of data, but the BEC numbers are staggering. We’ve gone from 2,400 reported incidents to over 23,000 in six years. Check out the graph and data below:
- 2014: 2,417 instances, $226 million in losses.
- 2019: 23,775 instances $1.7 billion in losses
- 883% increase in instances over this six-year period
- 685% increase in losses over this six-year period
We should also add a major asterisk here that this is only a fraction of what actually took place. Industry experts estimate only 15% is being reported. Why? Many reasons: Fear of brand tarnishment, embarrassment, not knowing how to report. In reality, instead of a $1.7 billion problem, this could really be a $12 billion problem.
What about the real estate sector of BEC crime?
The number of real estate victims has hovered around 10,000 – 12,000 each year. But with approximately the same number of instances, we went from $18 million lost to $221 million of reported loss over a seven-year period. The attackers have figured out how the money is moving and they’ve hit gold. The fraudsters are sophisticated and they’ve honed their craft. The same way we have processes and procedures they have processes on phishing, spoofing, and monitoring. You can read more about the typical wire fraud playbook in an earlier post here.
- Only a 122% increase in reported instances
- Still a 690% increase in reported money lost
Further explanations for the large focus on real estate transactions include the infrequent nature of the transaction and the large number of parties involved in each transaction.
Consumers simply don’t have any muscle memory when it comes to real estate transactions. On average, there are at least 6.5 years between real estate transactions.
In a typical real estate transaction, there are usually 8 parties involved. From the buyer and seller to the mortgage company, the title company, realtors, and lawyers, all of these parties are communicating online – typically via email. If one person’s account is exposed, everyone in the transaction is at risk.
Is there a solution?
There is no silver bullet to make attackers disappear, but we have to think about the question, “How do we manage this?” Assuming the trend continues or at least holds steady, this is a risk we will have to continue to manage within our organizations and with our partners and customers. It affects the entire ecosystem of our commerce. The solution requires a layered approach to security but putting up defense mechanisms in all areas of our business: hardware, software, people, processes. Our complete guide to wire fraud details how you can best be prepared and protect your business
Source: IC3 2019 Internet Crime Report – https://pdf.ic3.gov/2019_IC3Report.pdf