Key Takeaways from the 2023 FBI IC3 Report: Business Email Compromise Losses Jump to Nearly $3 Billion

Today, the FBI Internet Crime Complaint Center (IC3) released its 2023 Internet Crime Report, which examines cybercrime trends from the prior year, providing details on total losses and the number of reported victims.

The latest report revealed that business email compromise (BEC) remains a significant threat for modern enterprises, resulting in reported losses of nearly $3 billion. This represents a 7% increase over 2022’s already staggering total of $2.7 billion—and a total of $14.3 billion since the IC3 began including the attack in its report in 2015. Since its initial inclusion in the IC3 report, when only $264 million in losses were reported, business email compromise has skyrocketed more than 1000%.

Here are a few key takeaways from the report.

Threat actors who launch BEC attacks carefully select their target based on perceived access to financial information or susceptibility to respond to a request. Using social engineering techniques, they manufacture a sense of urgency and exploit the familiarity and trust between the recipient and the impersonated party to encourage the victim to send money or valuable data.

In 2023, the Internet Crime Complaint Center received a shocking 21,489 BEC complaints, resulting in adjusted losses exceeding $2.9 billion. This means that a single successful BEC attack costs a business an average of $137,132—up from $125,612 last year.

According to the FBI, the data suggests threat actors have recently adapted their tactics by utilizing custodial accounts held at financial institutions for cryptocurrency exchanges or third-party payment processors. They often convince targeted individuals to send funds directly to these platforms, where the funds are quickly dispersed.

Reported losses due to investment scams reached a staggering $4.57 billion in 2023, making it the most prevalent crime type tracked by the IC3. Within this category, investment fraud related to cryptocurrency saw a significant increase of 53%—from $2.57 billion in 2022 to $3.94 billion in 2023.

Typically targeting consumers rather than businesses, these schemes often begin with romance or confidence scams, gradually evolving into cryptocurrency investment fraud. Criminals create fictitious identities to establish relationships and build trust with victims, primarily through dating apps, social media platforms, professional networking sites, or encrypted messaging apps. Once trust is established, perpetrators introduce the topic of cryptocurrency and claim to have expertise or affiliations with experts who can guarantee financial success.

Victims are then directed to fraudulent websites or apps controlled by the criminals, where they are coached through the investment process and shown fake profits. When victims attempt to withdraw their funds, they are asked to pay fees or taxes, ultimately leaving them unable to recover their money, even if they comply with the demands.

The IC3 received 2,825 complaints related to ransomware attacks in 2023, resulting in adjusted losses exceeding $59.6 million. Notably, nearly 1,200 complaints were from critical infrastructure sector organizations affected by ransomware attacks, with 14 of the 16 critical infrastructure sectors receiving at least one ransomware attack last year.

While ransomware attacks can occur in multiple ways, email remains a favorite choice for cybercriminals, who often deliver their attacks through malicious links or files. Once opened, ransomware poses a significant threat to individuals and businesses, causing service disruptions, financial losses, and, in some cases, permanent loss of valuable data.

While the numbers are not as high as some of the other types of cybercrime, it is important to note that many ransomware infections go unreported to law enforcement, making it challenging to ascertain the true number of victims. For example, when the FBI recently infiltrated the Hive ransomware group’s infrastructure, they discovered that only about 20% of Hive’s victims submitted reports to law enforcement. This indicates that the actual number of ransomware victims and associated losses are considerably higher—and is also a key indicator that cybercrime losses overall are likely much higher than reported.

The 2023 Internet Crime Report demonstrates that organizations are still facing challenges defending against advanced threats—despite technological advancements and innovations in security measures over the past decade. No matter who criminals are targeting, they rely more on social engineering tactics than ever before, often pretending to be an executive, vendor, or even potential romantic partner to establish trust with their victims. These socially-engineered attacks continue to rise year after year, as human behavior remains the weakest link in the security chain and the easiest way for cybercriminals to experience success.

This focus on targeting humans rather than technology has become easier with the massive rise of generative AI over the last year. Interestingly, the 2023 IC3 report makes no mention of either “artificial intelligence” or “AI.” I expect this will not be the case in the 2024 version of the IC3 report, once we have more data to showcase how AI is truly changing the threat landscape and enabling criminals to create sophisticated attacks at a massive scale with relative ease. Further, though BEC was dethroned by investment fraud in the 2022 report, my prediction is that AI will put this attack back on top of the list in 2024 as criminals learn how to leverage malicious generative AI tools (such as WormGPT and FraudGPT) to more effectively bypass legacy security solutions and manipulate targets.

So these numbers are good to know, but what can we actually do with them? How do we use them to keep our organizations, our employees, and our families safe from the never-ending threats targeting us? Knowing which threats are most successful is key to knowing where to put your time and resources into stopping them.

Security awareness training undeniably remains a fundamental aspect of every organization's cybersecurity strategy. However, it is imperative to supplement this training with technology-based detection to stop attacks before they reach end users. The slowed growth rate of BEC losses indicates that this combination works.

While cybercriminals are continuously trying new tactics to bypass security filters and trick end users, I strongly believe that the implementation of next-generation technology is why we’re not seeing BEC cost $4 billion or more each year. As more organizations adopt security tools that leverage AI and machine learning to detect malicious messages, cybercriminals will turn elsewhere. While unlikely due to the sheer volume of attacks AI will enable bad actors to unleash, perhaps this is the year that BEC peaks and the 2024 report will show a decrease in the amount lost. Either way, one can hope.

My best advice? Security leaders should continue to focus on safeguarding their organizations from advanced threats, while also collaborating with vendors and partners who are committed to staying at the forefront of the evolving attack landscape. Until organizations adopt a radically different approach to detect these advanced attacks, we’ll continue to see these numbers grow year after year.

See for yourself how an AI-native email security solution can protect your organization from advanced attacks like these. Schedule a demo.