Wave yellow 4 FINAL

Unlucky #7: FBI Data Shows BEC Is the Top Cyber Threat for Seventh Year in a Row

March 24, 2022

It’s IC3 Report week! In what has become an annual holiday for anyone that’s heavily involved in researching business email compromise (BEC) attacks, the FBI released its 2021 Internet Crime Report that details trends in various types of cybercrime activity over the past year.

Why do BEC researchers love it? Because it’s one of the few reports that compares the overall impact of BEC to other types of threats that usually get more attention, like ransomware. And when you’re looking at the ever-growing cyber threat landscape, this report is invaluable to understanding how trends are moving, and what we can expect in the coming year.

Spoiler alert: BEC was the most financially-devastating cyber threat in 2021. Again!

BEC: Still the Biggest Threat the Public Doesn’t Talk About

For the seventh year in a row, BEC attacks were the leading cause of financial losses. Almost $2.4 billion was lost from BEC attacks last year—an increase of more than half a billion dollars (+28%) compared to 2020.

The impact of these losses is underscored by the fact that the number is 65% higher than the second-most impactful crime type, investment fraud, which saw a seven-fold increase in 2021. This increase seems to be linked to a rise in cryptocurrency investment scams, with cybercriminals exploiting the growing popularity of digital currencies.

Yearly financial losses due to Business Email Compromise

While that overall loss figure is staggering, one of the most notable statistics is that 35% of all cybercrime losses were attributed to BEC attacks in 2021. This really shows how much BEC activity drives the overall cybercrime threat landscape. In other words, one out of every three dollars lost to cyber attacks can be attributed to a business email compromise attack!

Even more interesting, we know that the threat actors responsible for most BEC attacks are the same actors behind other scams. Many of these cybercriminals are based in West Africa, and unfortunately for their victims, they aren’t just running BEC scams in a vacuum.

At the same time they’re launching BEC attacks, they also may be involved in other types of crime that also paid out big money in 2021. Examples include romance scams ($956 million), real estate and rental scams ($350 million), non-payment and non-delivery scams ($337 million), advanced fee fraud ($98 million), lottery and inheritance scams ($71 million), employment scams ($47 million), and overpayment scams ($33 million), and perhaps others. When taken together, a similar population of actors is primarily responsible for at least $4.2 billion in overall losses—or 61% of all cybercrime losses.

Percentage of cybersecurity losses by attack type


To conclude the trifecta of badness the IC3 report gave us around BEC, the average amount lost per BEC attack also increased considerably last year—growing 25% from $97,000 per attack in 2020 to $120,000 in 2021. One of the main reasons for this is due to a classification of BEC attacks we call financial supply chain compromise. These attacks include things like:

  • Vendor Email Compromise (VEC): A two-stage attack that first compromises the email account of an employee at a vendor or supplier, then uses intelligence from the compromised account to target a vendor’s customer in order to redirect funds from a legitimate payment to an illicit account.

  • Vendor Spoofing Attacks: An attack that impersonates a supposed vendor and requests an unspecified payment for a supposedly overdue invoice, sent to a new bank account.

  • Aging Report Attacks: An attack, usually impersonating a company executive, asking for a copy of a recent aging report, which contains outstanding payment and contact information of a company’s customers. Once the threat actor receives the report, he can run additional supply chain scams using the compromised information

As we discussed in our recent H1 2022 Email Threat Report, the average amount requested in financial supply chain compromise attacks is $183,000, which is two to three times higher than traditional executive impersonation BEC attacks requesting a wire transfer to a fake “vendor.” The continued increased frequency of financial supply chain attacks, combined with the higher financial impact of these attacks, is why we’re continuing to see a rise in the average loss per BEC incident.

Average dollar loss per Business Email Compromise attack

Ransomware: Barking Bigger Than Its Bite

A lot of attention was given to ransomware in 2021 as a result of some disruptive, high-profile attacks like the ones against Colonial Pipeline and JBS. So one of the biggest surprises in this year’s IC3 report was the relatively moderate increase in the overall financial impact of ransomware attacks over the last year.

The ransomware victim data we collected over the past two years showed that the number of victims doubled globally between 2020 and 2021, and the influence of cryptocurrency drove up the average ransom amounts. As a result, we were expecting the overall financial impact of ransomware to come in around $100 million for the year.

Data from the FBI, however, shows that losses linked to ransomware attacks were actually half of that. In 2021, just $49 million was lost as a result of ransomware attacks, putting it 18th on the list of most impactful attacks measured by IC3.

Granted, this figure only includes direct losses and doesn’t include the indirect impact of ransomware, such as remediation costs or lost revenue during an attack, but the same can be said for other enterprise-focused attacks measured by IC3. For example, business email compromise also requires post-incident remediation costs to recover from an incident. Even if indirect costs increased the financial impact of ransomware by a factor of 10, it would still be almost five times less impactful than BEC, which, using the base figures, causes more than 48 times the financial damage than ransomware.

Yearly financial losses due to Ransomware

Looking at the amount lost in ransomware attacks shows the same picture. On average, a ransomware attack causes about $13,000 in direct damage. This is nine times less than the average loss in a BEC incident and behind other types of cybercrime activity like data breaches, romance scams, rental scams, and tech support scams.

Average dollar loss by cybercrime type

So does this mean we don’t have to worry about ransomware anymore? Of course not. Based on our research, we know that ransomware attacks are impacting organizations all over the world, regardless of their size or industry. And when a ransomware attack is successful, as we’ve seen multiple times over the past year, it can have a devastating impact that can leave ripple effects throughout supply chains.

Preventing Cybercrime in 2022 and Beyond

The biggest takeaway from this year’s IC3 report is that, just as we’ve seen over the past six years, cybercriminals are consistently using less technically-sophisticated tactics to make money. While there’s a common perception that cyber attacks are generally technically savvy, the reality is that relatively basic social engineering attacks like business email compromise are the cause of most of the cybercrime losses businesses face every day.

The truth of the matter is that threat actors are turning away from high-volume, low-impact attacks like phishing to more targeted, high-value attacks like business email compromise and supply chain fraud. And because these attacks are typically text-based, without suspicious links or malicious attachments, they bypass traditional security measures like secure email gateways, which look for those traditional indicators of compromise.

To better protect your organization from these attacks, particularly these high-value attacks that cost an average of $120,000+ per incident, you must invest in a new type of technology. Abnormal Security protects organizations worldwide from these attacks that matter most using behavioral data science to understand identity, context, and content. With this fundamentally-different approach to email security, you can ensure that your organization is protected from the full extent of attacks, including these high-value attacks that others miss.

To learn more about how Abnormal stops business email compromise and other attacks, request a demo today.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More
B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More