Business email compromise (BEC) attacks plundered at least $1.8bn from victim organisations in 2020 and accounted for 43% of all cybercrime losses reported to the US Federal Bureau of Investigation (the FBI).

The agency’s annual Internet Crime Report showed that BEC schemes, in which scammers compromise a legitimate business email account to persuade employees to transfer company funds, continued to be the costliest type of cybercrime. Around a third of attacks reported to the FBI happen overseas, the majority in the UK.

Overall losses from cybercrime jumped 20% year on year to $4.2bn as cybercrooks capitalised on the chaos of Covid-19 with tailored scams. This included fraudsters targeting coronavirus support funds and advertising fake vaccines for sale. In total, the FBI’s Internet Crime Complaint Center received 28,500 complaints from businesses and consumers that had Covid-19 themes.

“Unfortunately, criminals are very opportunistic. They see a vulnerable population out there that they can prey upon,” said FBI Section Chief Steven Merrill.

The overall volume of reported cybercrimes more than doubled in 2020 to 791,790 complaints, up from 300,000 in the year prior.

However, the real cost and volume of cybercrime is likely to be much higher because many victims do not report attacks.

BEC accounted for 19,369 complaints, suggesting that these types of fraudsters are successfully stealing larger amounts of cash from their victims.

Phishing scams, on the other hand, resulted in losses of over $54m spread across 241,342 complaints – showing that such scams continue to operate with a high volume, low reward model. These attacks – along with associated forms such as vishing and smishing – were the most prevalent by volume in 2020.

While ransomware attacks often make the headlines there were just 2,474 incidents reported in 2020. The comparatively low number could in part be explained by companies keeping ransomware attacks quiet to avoid reputational damage.

The IC3 said it had managed to successfully freeze around $380m in BEC losses with the help of partners.

“On a technical level BEC scams have evolved as well, the used infrastructure is no longer a simple burner Gmail or Hotmail address, but rather a complex net of compromised hosts, email accounts and dedicated infrastructure per target,” said Martin Jartelius, CSO at Outpost24.

“They will buy domains that are similar to their target, with minor spelling mistakes and pinpoint their targets within the organisation. It’s best to consider any request, the more sensitive the request the greater your suspicions should be.”

Perhaps unsurprisingly, California – home to many of the world’s tech titans, and one of the world’s top ranking economies in its own right – was the state with the highest number of cybercrime victims and the most reported losses, with more than 39,000 cases and more than $500m stolen by fraudsters.

Jamie Akhtar, CEO and co-founder of CyberSmart, said: “It is no surprise that we have seen a significant escalation in cybercrime and its associated costs in 2020. As we know, cybercriminals thrive in situations of chaos, preying on our emotions to pull off phishing attacks and infiltrate the systems and networks we use inside and outside of the work environment.

“It is important to remember that these attacks are not limited to large organisations. Often, small and medium-sized enterprises are targeted as well, and they would have a much harder time weathering the financial and reputational impact of an incident.”


Read more: Account takeover delusion? Execs more confident than analysts in their cyber defences