Email Security

    Business Email Compromise Causes U.S. Companies to Lose $1.7B

    The FBI says business email compromise is now the biggest cause of cybercrime financial losses for U.S. organizations. But ransomware attacks are also on the rise again.

    by Mike Faden

    Key Points

    • Financial losses caused by business email compromisereached $1.7 billion in 2019,with companies losing an average of $75,000 in each attack, according to the FBI.
    • The findings align with Mimecast research showing a high and growing level of business email compromise attacks. 
    • Some attackers may be shifting their focus to ransomware,and increasingly are threateningto publicly release sensitive corporatedataif ransoms are not paid.


    Business email compromise attacks caused a staggering $1.7 billion in cybercrime-related financial losses in the U.S. during 2019, nearly four times as much as any other category of cybercrime and 37% higher than the previous year, according to the 2019 FBI Internet Crime Report. Each business email compromise attack also typically resulted in much higher losses than other types of cybersecurity crime: victims reported average losses of nearly$75,000. 

    The FBI’s data, based on complaints reported to its Internet Crime Complaint Center (IC3),aligns with Mimecast’s The State of Email Security Report 2019.Mimecast’s research found that two thirds of organizations have experienced increases in impersonation and business email compromise attacks—with almost three quarters of them losing money, data, or customers as a result. 

    How Business Email Compromise Works 

    Business email compromise is a relatively new type of attack that aims to scam organizations by impersonating executives in order to convince employees to wire money to fraudulent accounts or leak sensitive information. Attackers often target businesses that regularly make wire transfer payments to foreign suppliers. 

    Attacks often begin with spoofed email messages impersonating the CEO or other executives and targeting people within the company that have the power to make wire transfers or access funds in other ways, says Dr. Kiri Addison, Head of Data Science for Threat Intelligence and Overwatch at Mimecast. “The initial message may be simple and basic: ‘Can you help me quickly with a task? I’m held up in a meeting downstairs so don’t come and find me,’” Addison says. 

    Now, some attacks are starting to use the COVID-19coronavirus as a ploy to draw people in, she says. An example: “I’m self-isolating and my phone’s not working, can you reply to me at this email address?” For more on coronavirus-related phishing attacks, read “Beware of Fast-Evolving Coronavirus Email Phishing Attacks.”

    Gift Card Scams Proliferate

    Addison said she’s not surprised that the FBI report identified substantial losses due to business email compromise, since the high-value payments routinely made by businesses present an appealing target for attackers. But she noted that Mimecast has also seen many high-volume, lower-value business email compromise scams, such as gift card fraud, often using a template message mailed to a large number of email addresses and sometimes translated into different languages for use in multiple countries. In gift card scams, attackers typically entice an employee to buy large numbers of gift cards and then email the list of codes. 

    Overall, Mimecast threat intelligence detected nearly 60 million business email compromise/impersonation attacks from October to December 2019, with an overall increase in impersonation attacks that rely on social engineering instead of tactics detectable through email scans.

    Some Business Email Compromise Attacks Become More Sophisticated

    Though some business email compromise attempts may be fairly crude, the attacks are constantly evolving as scammers become more sophisticated, according to the FBI. In addition to spoofing corporate email accounts, attackers may compromise personal or vendor emails, spoof the accounts of corporate lawyers, or send requests for W-2 employee forms. In 2019, an increasing number of attacks aimed to divert payroll funds. In these schemes, a company’s human resources or payroll department receives an email that appears to be from an employee, with a request to update their direct deposit information. The new information typically routes the employee’s pay to a hacker’s pre-paid card account.

    How to Prevent Business Email Compromise 

    Organizations need a combination of technology and security awareness training to combat the threat of business email compromise, Addison says. Mimecast’s technology can detect many emails that are sent from outside the organization and attempt to impersonate the company’s executives and other real users. But training is also key, because business email compromise attacks ultimately rely on human error: the attack will only be successful if an employee is tricked into facilitating the scam. 

    Ransomware Shows Signs of Resurgence 

    In contrast to the widespread devastation caused by business email compromise attacks, the FBI’s crime report recorded a relatively low level of ransomware incidents and losses ($8.9 million) in 2019. That number likely understates the real-world cost because it doesn’t include factors such as the cost of lost business, disruption to operations or remediation services. 

    However, there are signs that attackers are again increasing their focus on ransomware. Mimecast has identified an uptick in short-lived, high volume, targeted and hybridized attacks, which is highly likely to indicate that threat actors are refocusing their efforts from impersonation to ransomware, often using the Emotettrojan to install ransomware on users’ systems. 

    Addison adds that Mimecast is also increasingly observing a disturbing trend in ransomware attacks: In addition to encrypting companies’ data to render it unusable, a growing number of hackers also exfiltrate a copy of the data and threaten to publicly release the sensitive information if the ransom is not paid. 

    Combating the Rise in Ransomware 

    Organizations can use several techniques to thwart the resurgence of ransomware, Addison says. They include basic practices of good cybersecurity hygiene, including regular patching, in addition to using technology to scan email attachments and identify suspicious links in messages. To prevent Emotet-based attacks, another key approach is to change Microsoft Office settings to block macros, since macros are often used as a mechanism for downloading malware. 

    The Bottom Line 

    Business email compromise has a huge financial impact on U.S. organizations: in 2019, the reported losses from business email compromise attacks were much higher than for any other category of cyber-crime, according to the FBI. In addition, there are now signs that attackers are once again focusing more effort on ransomware. To counter these threats, organizations need to use a combination of specialized security technology, awareness training, and good cybersecurity hygiene. 


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top