Business Email Compromise Report from FBI

image_thumbI very rarely will publish a news item or statistics, because we focus on discussing vulnerabilities, exploits, and countermeasures and leave the cyber news to others.  This report is important enough I had to share it.

On June 14th the Internet Crime Complaint Center of the FBI reported loss numbers for businesses that succumbed to the “Business Email Compromise” scam.  This scam works when an attacker is able to get the user ID and password for the CEO’s email account, usually through social engineering or phishing, but sometimes from purchased lists of passwords.  Since so many people reuse the same password, if I have your Gmail password, there is a good chance the password might open your business email, too.

Then the attacker will use the CEO’s own email to request large funds transfers, ostensibly for a business purpose, such as acquiring another company, or a large purchase of parts, or whatever.  Here are the damages for the last couple of years.

The following BEC statistics were reported to the IC3 and are derived from multiple sources to include IC3 victim complaints and complaints filed with international law enforcement agencies and financial institutions:

Domestic and International victims: 22,143
Combined exposed dollar loss: $3,086,250,090

The following BEC statistics were reported in victim complaints to the IC3 from October 2013 to May 2016:

Domestic and International victims: 15,668
Combined exposed dollar loss: $1,053,849,635
Total U.S. victims:14,032
Total U.S. exposed dollar loss:$960,708,616
Total non-U.S. victims:1,636
Total non-U.S. exposed dollar loss:$93,141,019

If you are the CEO, CFO, Financial Officer, or accountant at a business, you need to acquaint yourself with this exploit, and you will recognize it and avoid it when it happens to you.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.