#privacy: BEC scams cost organisations $26 billion

In a Public Service Announcement, the FBI found that Business Email Compromise (BEC) scams continue to grow and evolve. 

In the announcement it was revealed that between June 2016 and July 2019, BEC scams have cost organisations worldwide £26,201,775,589. The total is based on complaints reported to the FBI’s Internet Crime Complaint Center (IC3). 

The FBI also noted identifying a 100% increase in global exposed losses from between May 2018 and July 2019. The bureau explained that this was due to greater awareness of the threat, to which “encourages reporting to the IC3 and international and financial partners.”

The announcement stated that based on the financial data, banks situated in China and Hong Kong remain the primary destination of fraudulent funds. However, the FBI has noted an increase of fraudulent transfers being sent to Mexico, Turkey and the United Kingdom. 

Kevin Epstein, Vice President of Threat Operations, Proofpoint said:

“More than 99 percent of cyberattacks need humans to click and act—and BEC attacks rely squarely on individuals to take action by preying on human psychological responses to urgent matters such as wiring money and sending confidential data, often to satisfy some immediate but fictional business need. Organizations need to take immediate steps to significantly reduce the chances that a BEC attack is successful by educating their employees and deploying solutions that place the individual at the center of their security strategy.

“BEC and EAC (essentially BEC attacks launched from internal – and therefore harder to detect – compromised executive accounts) are increasingly weapons of choice for financially motivated threat actors because they are inexpensive and require more research than actual sending infrastructure. Sending fraudulent email is cheap and the messages don’t require expensive malware or sophisticated command and control; yet the attacks themselves are highly effective, resulting in billions of dollars in reported losses. Exploiting the email communication channel through highly personalized, socially engineered messages allows attackers to easily impersonate a trusted employee or partner. The prevalence and effectiveness of pervasive credential phishing schemes provides fuel for increasingly common EAC attacks as well, giving attackers an inside channel to implement their schemes.

“These social engineering schemes will only become more prevalent and difficult for organizations to identify, detect, and respond to. It is critical that organizations prioritize a people-centric approach to security that protects all parties (their employees, customers, and business partners) against phishing, email fraud, credential theft, and brute force attacks. We recommend layered defenses at the network edge, email gateway, in the cloud, and endpoint, along with strong user education to provide the best defense against these types of attacks, most of which lack malware payloads that traditional defenses are designed to detect.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.