I very rarely will publish a news item or statistics, because we focus on discussing vulnerabilities, exploits, and countermeasures and leave the cyber news to others. This report is important enough I had to share it.
On June 14th the Internet Crime Complaint Center of the FBI reported loss numbers for businesses that succumbed to the “Business Email Compromise” scam. This scam works when an attacker is able to get the user ID and password for the CEO’s email account, usually through social engineering or phishing, but sometimes from purchased lists of passwords. Since so many people reuse the same password, if I have your Gmail password, there is a good chance the password might open your business email, too.
Then the attacker will use the CEO’s own email to request large funds transfers, ostensibly for a business purpose, such as acquiring another company, or a large purchase of parts, or whatever. Here are the damages for the last couple of years.
The following BEC statistics were reported to the IC3 and are derived from multiple sources to include IC3 victim complaints and complaints filed with international law enforcement agencies and financial institutions:
Domestic and International victims: 22,143
Combined exposed dollar loss: $3,086,250,090
The following BEC statistics were reported in victim complaints to the IC3 from October 2013 to May 2016:
Domestic and International victims: 15,668
Combined exposed dollar loss: $1,053,849,635
Total U.S. victims:14,032
Total U.S. exposed dollar loss:$960,708,616
Total non-U.S. victims:1,636
Total non-U.S. exposed dollar loss:$93,141,019
If you are the CEO, CFO, Financial Officer, or accountant at a business, you need to acquaint yourself with this exploit, and you will recognize it and avoid it when it happens to you.Share