eDiscovery Daily Blog

• February 25, 2020

The FBI’s Internet Crime Complaint Center (IC3) reported that it received over 460,000 internet and cyber-crime complaints in 2019, which the agency estimates caused losses of more than $3.5 billion, the bureau wrote in its yearly internet crime report released earlier this month.  And, about half of that is due to BEC (Business Email Compromise), aka EAC (Email Account Compromise) crimes, which are sophisticated scams targeting businesses and individuals performing wire transfer payments.

This was reported by ZDNet (FBI: BEC scams accounted for half of the cyber-crime losses in 2019, written by Catalin Cimpanu – hat tip to Sharon Nelson of the excellent Ride the Lightning blog).

“At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception,” the FBI said back in 2017, when it started receiving an increased number of BEC scams reports.

A typical BEC scam happens after hackers either compromise or spoof an email account for a legitimate person/company. They use this email account to send fake invoices or business contractors. These are sent to employees in the same company, or upstream/downstream business partners.

The idea is to trick counterparts into wiring money into the wrong bank accounts.

BEC scams are popular because they’re (1) dead simple to execute, and (2) don’t require advanced coding skills or complex malware.  And, they pay BIG.  There were only 23,775 BEC victims last year, but they accounted for over $1.77 billion in losses for victims, which is an average of $75,000 per complaint.  Wow.  Here’s a breakdown of the loss amounts and victim counts by crime type over last year – as you can see, BEC crimes are almost four times as large as any other by total loss amount, but only sixth in total number of victims:

I wrote (almost to the day, no less) about an email I received last year that I suspect was a BEC scam that appeared to be from CloudNine’s co-founder Brad Jenkins.  But I could tell that it wasn’t because it was identified as an external email.  At CloudNine, we mark any emails coming from an external source to identify them as an external email, which is inserted into the received email to help recipients differentiate between real and fake CloudNine emails.  It’s easy to set up and an effective way to flush out those BEC scam emails.

BTW, the map at the top shows the number of complaints by state and, as you can see, California was the only state with over 30,000 complaints (while Florida, Texas and New York had between 20,000 and 30,000).  But the map is a bit deceiving in this respect – California had 50,132 complaints last year, nearly double that of the next highest states (Florida and Texas, which tied at 27,178 complaints).  Ouch.

So, what do you think?  Do you know someone who has been victimized by a BEC scam?  Please share any comments you might have or if you’d like to know more about a particular topic.

Images Courtesy of 2019 FBI Internet Crime Report

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.