Business email attacks are now a multi-billion dollar industry

Best email services: image of email with one unread message alert
(Image credit: Future)

Business Email Compromise (BEC) attacks have grown into a $43 billion industry, the FBI has warned, urging companies to be on their guard.

In a recent report published by the Federal Bureau of Investigation (FBI), between July 2019 and December 2021, the number of identified global losses, due to business email scams, grew by almost two-thirds (65%). 

The figures are based on incidents that have been reported to the Internet Crime Complaint Center (IC3), and mean that BEC attacks are now more lucrative than the likes of the global tuna industry, or the global used-clothes industry.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Covid and crpytos

The FBI somewhat attributes this growth in BEC scams to the Covid-19 pandemic and the lockdown, further stating that during that time, this type of fraud was reported in all 50 US states and 177 countries in total. 

Further strengthening the thesis of BEC being a global problem, the FBI found that 140 countries received fraudulent transfers, with banks in Thailand and Hong Kong found to be the primary international destinations for funds coming from stolen endpoints, although Mexico, Singapore, and China, were also high up the list.

All in all, $43.3 billion were lost between June 2016, and December 2021.

The FBI also looked at the role cryptocurrencies played in the rise of BEC scams, suggesting it widened the playing field for the crooks. 

The IC3 tracked two iterations of crypto-oriented BEC scams - one where the victim would, unknowingly, send funds directly to a cryptocurrency exchange, and another one, called “second hop transfer” in which the attackers create accounts on crypto exchanges using personally identifiable information stolen from victims of other types of attacks (extortion, tech support, romance). Only after the funds are sent to that account, do the crooks transfer them elsewhere.

Crypto-oriented BEC scams are getting more devastating, as well. Back in 2019, less than $5m in losses were reported. Last year, it spiked to $40 million, with the FBI expecting the figure to grow even further in the future.

Most of the time, the attacks revolve around people being tricked into willingly sending funds, rather than deploying viruses on the victims' devices.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.