Thales Blog

FBI 2019 Internet Crime Report: Business email compromise fraud is the costliest attack vector for enterprises

April 14, 2020

Dirk Geeraerts Dirk Geeraerts | Security Evangelist More About This Author >

Earlier this year, the FBI released the 2019 Internet Crime Report. It includes information from 467,361 complaints of suspected Internet crime with reported losses in excess of $3.5 billion. With the high amount of cybercriminal activity including hacking attempts and phishing scams, the information in this report is quite timely.

BEC is the costliest crime for businesses

According to the report, almost half of the reported losses, approximately $1.77 billion, are due to BEC (Business Email Compromise) frauds, also known as EAC (Email Account Compromise) crimes. BEC is a sophisticated scam targeting businesses and individuals performing wire transfer payments.

The scam is frequently carried out when a criminal compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques. For example, an individual will receive a message that appears to be from a colleague or an outside business associate. The email will request a payment, wire transfer, or gift card purchase that seems legitimate but funnels money directly to a criminal.

BEC is constantly evolving as scammers become more sophisticated. During 2019, the FBI’s Internet Crime Complaint Center (IC3) reported an increase in the number of BEC complaints related to the diversion of payroll funds. BEC scams are popular because they're very simple to execute, and they don't require advanced coding skills or complex malware.

According to the FBI's report, BEC scams were, by a considerable margin, the most damaging and effective type of cyber-crime in 2019. Overall, 23,775 BEC victims accounted for $1.77 billion in losses, which is on average $75,000 per complaint. In comparison, phishing/smishing/vishing cases accounted for $500 in losses per complaint.

Figure 1: BEC vs Phishing Crimes. Source: FBI 2019 Internet Crime Report

Adoption of SaaS platforms increases chances of BEC scams

Organisations face new security challenges as they adopt cloud platforms. Perimeter security no longer exists and by adopting services such as Office 365, corporate users are now accessing the organisation’s most sensitive resources remotely and beyond the traditional perimeter security.

In addition, login pages providing access to a company’s critical assets that were once protected within the organisation’s DMZ or behind a VPN, are now fully exposed to the Internet – accessible to anyone. Office 365 is becoming the platform of choice for malicious attacks. Malevolent actors can easily launch password spraying attacks to gain access to network resources and start moving laterally to steal sensitive information or cause damage.

In fact, in 2019 researchers published a report according to which more than 1.5 million malicious and spam emails were delivered within a single month by threat actors, using roughly 4,000 Office 365 accounts compromised via Account Take Over (ATO).

To infiltrate their targets' accounts via ATO attacks, cybercriminals used a combination of "brand impersonation, social engineering, and phishing" to appear to be high-profile companies such as Microsoft in an effort to convince potential victims to visit phishing landing pages and provide account credentials.

The bad actors also “leveraged usernames and passwords acquired in previous data breaches. Since people often use the same password for their different accounts, hackers were able to successfully reuse the stolen credentials and gain access to additional accounts," says the report. The stolen credentials for personal emails were later used to gain access to the compromised Office 365 accounts in hopes of getting business email information, as part of BEC campaigns.

Authentication assurance to the rescue!

The real challenge is how to achieve the same level of protection in the cloud that organisations are accustomed to in an on-premises environment. The integrity of our digital lives and our ability to operate online relies on the ability to successfully authenticate an individual accessing online services and applications by verifying that he/she is who they claim to be.

An organisation’s authentication solution need not to be monolithic. The variety of available authentication methods allows organisations and agencies to employ standards-based, pluggable authentication solutions based on mission need. Stronger authentication, adopting methods with higher Authentication Assurance Level can effectively reduce the risk of attacks.

Before selecting the optimal authentication method(s) for your organisation, it is recommended to review the available authentication methods, the level of assurance they provide, and their susceptibility to known threats-taking into account key considerations and how they pertain to your organisation. It is also highly advisable to start embracing adaptive approaches and analytics that increase trust while reducing friction for end users.

Together with policy-based access and single sign on, authentication is a key component of effective access management. The combination of access policies combined with smart Single-Sign-On optimizes security and convenience by offering end users a secure experience, requiring them to authenticate once and provide additional authentication as needed.

Find out how Thales’s authentication solutions can help your company secure access to corporate networks, protect the identities of users and ensure that a user is who he or she claims to be.