Business Email Compromise Report from FBI

image_thumbI very rarely will publish a news item or statistics, because we focus on discussing vulnerabilities, exploits, and countermeasures and leave the cyber news to others.  This report is important enough I had to share it.

On June 14th the Internet Crime Complaint Center of the FBI reported loss numbers for businesses that succumbed to the “Business Email Compromise” scam.  This scam works when an attacker is able to get the user ID and password for the CEO’s email account, usually through social engineering or phishing, but sometimes from purchased lists of passwords.  Since so many people reuse the same password, if I have your Gmail password, there is a good chance the password might open your business email, too.

Then the attacker will use the CEO’s own email to request large funds transfers, ostensibly for a business purpose, such as acquiring another company, or a large purchase of parts, or whatever.  Here are the damages for the last couple of years.

The following BEC statistics were reported to the IC3 and are derived from multiple sources to include IC3 victim complaints and complaints filed with international law enforcement agencies and financial institutions:

Domestic and International victims: 22,143
Combined exposed dollar loss: $3,086,250,090

The following BEC statistics were reported in victim complaints to the IC3 from October 2013 to May 2016:

Domestic and International victims: 15,668
Combined exposed dollar loss: $1,053,849,635
Total U.S. victims:14,032
Total U.S. exposed dollar loss:$960,708,616
Total non-U.S. victims:1,636
Total non-U.S. exposed dollar loss:$93,141,019

If you are the CEO, CFO, Financial Officer, or accountant at a business, you need to acquaint yourself with this exploit, and you will recognize it and avoid it when it happens to you.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.