chat
expand_more

Key Takeaways from the 2023 FBI IC3 Report: Business Email Compromise Losses Jump to Nearly $3 Billion

Explore the biggest takeaways from the 2023 FBI IC3 Report, including the steady increase in losses due to business email compromise (BEC).
March 7, 2024

Today, the FBI Internet Crime Complaint Center (IC3) released its 2023 Internet Crime Report, which examines cybercrime trends from the prior year, providing details on total losses and the number of reported victims.

The latest report revealed that business email compromise (BEC) remains a significant threat for modern enterprises, resulting in reported losses of nearly $3 billion. This represents a 7% increase over 2022’s already staggering total of $2.7 billion—and a total of $14.3 billion since the IC3 began including the attack in its report in 2015. Since its initial inclusion in the IC3 report, when only $264 million in losses were reported, business email compromise has skyrocketed more than 1000%.

Here are a few key takeaways from the report.

BEC is (Still) a Billion-Dollar Problem

Threat actors who launch BEC attacks carefully select their target based on perceived access to financial information or susceptibility to respond to a request. Using social engineering techniques, they manufacture a sense of urgency and exploit the familiarity and trust between the recipient and the impersonated party to encourage the victim to send money or valuable data.

In 2023, the Internet Crime Complaint Center received a shocking 21,489 BEC complaints, resulting in adjusted losses exceeding $2.9 billion. This means that a single successful BEC attack costs a business an average of $137,132—up from $125,612 last year.

FBI IC3 2023 Report BEC Losses

According to the FBI, the data suggests threat actors have recently adapted their tactics by utilizing custodial accounts held at financial institutions for cryptocurrency exchanges or third-party payment processors. They often convince targeted individuals to send funds directly to these platforms, where the funds are quickly dispersed.

Surge in Investment Scams Involving Cryptocurrency

Reported losses due to investment scams reached a staggering $4.57 billion in 2023, making it the most prevalent crime type tracked by the IC3. Within this category, investment fraud related to cryptocurrency saw a significant increase of 53%—from $2.57 billion in 2022 to $3.94 billion in 2023.

FBI IC3 2023 Report Investment Fraud Losses

Typically targeting consumers rather than businesses, these schemes often begin with romance or confidence scams, gradually evolving into cryptocurrency investment fraud. Criminals create fictitious identities to establish relationships and build trust with victims, primarily through dating apps, social media platforms, professional networking sites, or encrypted messaging apps. Once trust is established, perpetrators introduce the topic of cryptocurrency and claim to have expertise or affiliations with experts who can guarantee financial success.

Victims are then directed to fraudulent websites or apps controlled by the criminals, where they are coached through the investment process and shown fake profits. When victims attempt to withdraw their funds, they are asked to pay fees or taxes, ultimately leaving them unable to recover their money, even if they comply with the demands.

Ransomware Continues to Be a Persistent Threat

The IC3 received 2,825 complaints related to ransomware attacks in 2023, resulting in adjusted losses exceeding $59.6 million. Notably, nearly 1,200 complaints were from critical infrastructure sector organizations affected by ransomware attacks, with 14 of the 16 critical infrastructure sectors receiving at least one ransomware attack last year.

FBI IC3 2023 Report Ransomware Losses

*This number does not include estimates of lost business, time, wages, files, equipment, or any third-party remediation services acquired by a victim. In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low ransomware loss rate.

While ransomware attacks can occur in multiple ways, email remains a favorite choice for cybercriminals, who often deliver their attacks through malicious links or files. Once opened, ransomware poses a significant threat to individuals and businesses, causing service disruptions, financial losses, and, in some cases, permanent loss of valuable data.

While the numbers are not as high as some of the other types of cybercrime, it is important to note that many ransomware infections go unreported to law enforcement, making it challenging to ascertain the true number of victims. For example, when the FBI recently infiltrated the Hive ransomware group’s infrastructure, they discovered that only about 20% of Hive’s victims submitted reports to law enforcement. This indicates that the actual number of ransomware victims and associated losses are considerably higher—and is also a key indicator that cybercrime losses overall are likely much higher than reported.

What the 2023 Cybercrime Data Indicates

The 2023 Internet Crime Report demonstrates that organizations are still facing challenges defending against advanced threats—despite technological advancements and innovations in security measures over the past decade. No matter who criminals are targeting, they rely more on social engineering tactics than ever before, often pretending to be an executive, vendor, or even potential romantic partner to establish trust with their victims. These socially-engineered attacks continue to rise year after year, as human behavior remains the weakest link in the security chain and the easiest way for cybercriminals to experience success.

This focus on targeting humans rather than technology has become easier with the massive rise of generative AI over the last year. Interestingly, the 2023 IC3 report makes no mention of either “artificial intelligence” or “AI.” I expect this will not be the case in the 2024 version of the IC3 report, once we have more data to showcase how AI is truly changing the threat landscape and enabling criminals to create sophisticated attacks at a massive scale with relative ease. Further, though BEC was dethroned by investment fraud in the 2022 report, my prediction is that AI will put this attack back on top of the list in 2024 as criminals learn how to leverage malicious generative AI tools (such as WormGPT and FraudGPT) to more effectively bypass legacy security solutions and manipulate targets.

Keeping Your Organization from Becoming the Next IC3 Statistic

So these numbers are good to know, but what can we actually do with them? How do we use them to keep our organizations, our employees, and our families safe from the never-ending threats targeting us? Knowing which threats are most successful is key to knowing where to put your time and resources into stopping them.

Security awareness training undeniably remains a fundamental aspect of every organization's cybersecurity strategy. However, it is imperative to supplement this training with technology-based detection to stop attacks before they reach end users. The slowed growth rate of BEC losses indicates that this combination works.

While cybercriminals are continuously trying new tactics to bypass security filters and trick end users, I strongly believe that the implementation of next-generation technology is why we’re not seeing BEC cost $4 billion or more each year. As more organizations adopt security tools that leverage AI and machine learning to detect malicious messages, cybercriminals will turn elsewhere. While unlikely due to the sheer volume of attacks AI will enable bad actors to unleash, perhaps this is the year that BEC peaks and the 2024 report will show a decrease in the amount lost. Either way, one can hope.

My best advice? Security leaders should continue to focus on safeguarding their organizations from advanced threats, while also collaborating with vendors and partners who are committed to staying at the forefront of the evolving attack landscape. Until organizations adopt a radically different approach to detect these advanced attacks, we’ll continue to see these numbers grow year after year.


See for yourself how an AI-native email security solution can protect your organization from advanced attacks like these. Schedule a demo.

Schedule a Demo
Key Takeaways from the 2023 FBI IC3 Report: Business Email Compromise Losses Jump to Nearly $3 Billion

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More
B Microsoft Blog
Explore the latest cybersecurity insights from Microsoft’s 2024 Digital Defense Report. Discover next-gen security strategies, AI-driven defenses, and critical approaches to counter evolving threats and safeguard your organization.
Read More
B Osterman Blog
Explore five key insights from Osterman Research on how AI-driven tools are revolutionizing defensive cybersecurity by enhancing threat detection, boosting security team efficiency, and countering sophisticated cyberattacks.
Read More
B AI Native Vendors
Explore how AI-native security like Abnormal fights back against AI-powered cyberattacks, protecting your organization from human-targeted threats.
Read More
B 2024 ISC2 Cybersecurity Workforce Study Recap
Explore key findings from the 2024 ISC2 Cybersecurity Workforce Study and find out how SOC teams can adapt and thrive amidst modern challenges.
Read More