The FBI’s International Crime Complaints Center (IC3) recently released a report stating that Business Email Compromise (BEC) and Email Account Compromise (EAC) cost the world a staggering £21 billion (26.2 billion USD) between October 2013 and July 2019.
The report covers 177 countries and includes a total of 166,349 reported incidents.
This figure is much higher than any previous forecasts, in fact, global exposed losses increased 100% in the final 14 months of the survey. In the US alone there has been a 1300% increase in BEC attacks since January 2015.
However, like with many headline figures, it doesn’t take too much digging to find a slight contradiction of the initial figures.
By examining the report one can see the total costs incurred specifically by BEC/EAC attacks total “only” £8.98 billion (11.18 billion USD). The rest of the headline figure is bolstered by a somewhat vague “victim complaints” category. It would appear the total figure is aggregating other types of email scam such as lottery and romance scams into the headline of BEC/EAC.
It’s all the same thing…
Although this may seem like the FBI has been somewhat haphazard in their categorisation process, it is worth noting their methodology. As scamming groups have evolved, so have their tactics, what were once poorly written Nigerian Prince scams are now RAT-Supporting BEC. And while we see a difference in the emails received, the gangs sending them are not separate at all. As Agari eluded to in reference to a Nigerian internet fraud gang in June 2019: there are no separate BEC gangs, and romance scam gangs, and agency fraud gangs. There is simply one group of social engineers that have honed their skill over many years and many operations.
So for us to find separation in the type of social engineering attack, when they are committed by the same people, is somewhat pointless.
What is strikingly apparent is that as internet security hardware and software get more advanced, scammers are reverting back to humans as the point of weakness in the security chain. By using very simple wording with no attachments, no links to click and no malicious code embedded, advanced and expensive security suites are finding it much harder to block these nefarious emails.
“We make something harder [with improved security], so the criminals switch to the next easiest thing that will keep their money flowing… why bother hacking companies when we can just email the CFO and get him to send us money?”
Alex Pinto – Head of Verizon Security Research
What can we do to stop it?
A culture shift in organisational thinking is what is necessary to overcome the problem of social engineering.
As we have covered many times in our blogs, the problem here lies not with the security hardware but with the users themselves. Security Awareness Training is essential in organisations of all sizes, it is the single most cost-effective improvement to an organisation’s cyber-security. Yet many organisations see it as a luxury, not a necessity.
At the time of writing, the average professional firewall costs many thousands of pounds. Most organisations will not think twice about shelling out that kind of money for necessary security equipment. Using Phishing Tackle to train a click-prone member of staff with routine simulated phishing and security awareness training costs just pennies per month.
It’s time to make a shift and focus on the human element of security, because the scammers already have.