2022 FBI IC3 Report Shows $2.7 Billion in Losses from Business Email Compromise

Ransomware attacks might be what makes the biggest headlines, but year after year one attack type remains a leading culprit for massive financial losses: business email compromise (BEC).

Last week, the FBI released its 2022 Internet Crime Report, which summarizes major cyber threat trends from the prior year and breaks down total losses and victim counts for a variety of different cybercrimes.

One important takeaway? More than a quarter of the $10.9 billion in losses reported to the FBI Internet Crime Complaint Center (IC3) was directly attributable to BEC. Read on for more highlights from this year’s report.

First discussed in the 2015 Internet Crime Report, business email compromise (BEC) was the leading cause of financial losses for seven straight years. And while it was dethroned by investment fraud in the most recent report, these attacks were still responsible for $2.7 billion in total losses in 2022—a year-over-year increase of 14.5%.

Over the past five years, losses from BEC attacks have more than doubled, growing by a staggering 111% between 2018 and 2022. And in the eight years since the FBI IC3 began reporting on BEC, total losses have risen by more than 10x.

Additionally, although investment fraud recorded the highest total losses in 2022, the average amount lost per BEC attack was higher, at just over $125,600—a 300% increase since 2015.

Clearly, threat actors are continuing to see success with BEC attacks, which is why we can expect consistent growth in business email compromise for the foreseeable future.

Investment fraud is nothing new. Indeed, Ponzi schemes have been around for over a century. But with the increasing pervasiveness of cryptocurrencies throughout the past few years, a new type of investment scam with especially costly consequences has been picking up steam: pig butchering.

Combining investment fraud and social engineering, pig butchering involves tricking targets into making large cryptocurrency investments through fake platforms over the course of several weeks or months. Once the bad actor has “fattened up the pig” (i.e., convinced the target to deposit all of their money into the account), they move forward with “butchering”—withdrawing the funds, closing the account, and blocking the target.

While pig butchering is just one type of investment fraud, its growing popularity along with its potential for higher-than-average payouts likely makes it a major contributing factor to the startling spike in losses attributed to investment scams in recent years. Between 2021 and 2022, the total losses due to investment fraud grew by 127%—from about $1.5 billion to $3.3 billion.

In terms of total losses, phishing falls squarely in the bottom third of all attack types tracked by the IC3. However, what organizations must remember is that phishing is frequently just the first step in a variety of crimes.

Legacy technologies like secure email gateways (SEGs) can stop simple phishing attacks that contain obviously malicious links or attachments, but more advanced phishing messages often easily bypass SEGs. And when an employee engages with a phishing email, it puts the organization at considerable risk, as the information acquired enables threat actors to launch more damaging attacks like BEC, account takeover, and ransomware.

Its success as a “foot in the door” tactic is likely why phishing has been the most common cybercrime reported to the IC3 since 2019.

And as threat actors have continually found new ways to make phishing attacks more convincing, the number of victims has steadily increased since 2019, only slightly declining between 2021 and 2022.

What the 2022 Internet Crime Report drives home is how serious the threat of social engineering attacks has become and, as a result, how crucial it is for organizations to invest in innovative technology that can combat these attacks.

Modern cybercriminals are constantly refining their techniques and increasingly leveraging the same business tools that today’s organizations use to identify targets, source information, and craft convincing emails that allow them to trick employees. That means if your company is still relying on solutions that take an approach to email security that essentially hasn’t been updated in nearly two decades, you’re at a significant (and unnecessary) disadvantage.

The most effective way to protect your organization from sophisticated, socially-engineered threats like business email compromise is to implement intelligent email security technology that combines cutting-edge behavioral science with risk-adaptive detection.

See how Abnormal’s cloud email security solution detects and prevents the malicious emails that bypass traditional solutions. Schedule your demo today.