Over the last four years, the information security community has learned a lot about business email compromise (BEC) and the inner workings of Nigerian cybercrime rings who have made it their mainstay.
We know BEC fraud has been reported in all 50 states and in 177 countries worldwide. We know that since June 2016, over $26 billion has been lost as a result of BEC. But we also know that even at this level, we may just be scratching the surface of damages that the treat actors behind business email compromise have inflicted on businesses and individuals.
That's because as we've all come to learn, the same threat actors behind BEC are responsible for myriad other crimes, including everything from romance swindles, work-from-home schemes, and lottery scams, to wire fraud, account takeovers (ATOs), payroll diversion cons, W2 fraud, and (much) more.
When tracking BEC and related 419 schemes (named after section 419 of the Nigerian criminal code), a host of different, discreet malicious activities are often lumped together. After all, the lines are rarely as clear-cut as tracking crimes perpetrated using a specific malware family.
Still, $26 billion in losses from business email compromise is a really large number, right? Yet it's important to put those losses into context by comparing it with other threats that face the industry. As you're about to see, what we know is scary enough. But it's what we don't know that really keeps me up at night.
BEC Losses: More Than Twice Treasury's Estimates?
Let's start with the basics. We've all seen the data coming from the US Treasury Department's Financial Crimes Enforcement Network (FinCEN), which estimates losses from BEC topped $300 million per month in 2018. That's more than $3.6 billion on an annualized basis, and plenty of cause for alarm.
But it also appears to be wildly optimistic. Assuming 100% of Suspicious Activity Reports (SAR’s) are synced across both FinCEN and the FBI's Internet Crime Complaint Center, figures coming from IC3 paint a completely different picture.
According to IC3, $26 billion was lost to BEC scams between June 2016 and July 2019. So how much is that per month?
$26 billion / 37 months = $702 million in BEC losses per month
That's $23 million dollars lost per day, $975,975.98 lost per hour, or $16,266.27 dollars lost every minute to BEC. Go ahead and let that sink in for a moment—I'll wait for you.
Security researchers love to give marketing teams flack for over-inflating numbers to amplify the drama. But in this case, those $26 billion dollars aren't exaggerated. In fact, they're not estimates at all. Every single dollar ties back to a victim. And while some of that money may have been successfully reversed, it still represents the business world's total exposure (or “dollars exposed," in IC3 parlance) to BEC.
Putting $26 Billion in Context
$26 billion isn't chump change. It's equivalent to a Fortune 500 company—ranked about the same as Kraft Heinz at #115 on this year's list, just above Mondelez International and US Bancorp. If it was a country, it'd rank among the top 30 largest economies in the world by GDP.
Indeed, while ransomware generates more headlines, BEC is now the top driver for cyber-insurance claims in EMEA—accounting for 24% of all claims, according to AIG. But to really give you better context for what this means, let's look at the math.
We know BEC results in at least $702 million in losses per month. Using the following equation, we can convert the losses from other campaigns over time to the number of days it takes for BEC to cause the same damage.
(Losses in dollars by Campaign / $702 million) X 30 days = number of days
Let's look at how that compares to the financial damage caused by different forms of malware attacks, along with a few other benchmarks. As it turns out, dramatic attacks that capture headlines can take years to create the same amount of losses generated by successful BEC scams in just a matter of days.
Campaign or Object | Time in Operation | Total Confirmed Damages | Number of days that it takes BEC to cause the same damage |
GameOver ZeuS | 2 years | $100 million dollars | 4.2 days |
WannaCry | “Could reach” $4 billion in damages | 171.4 days | |
GandCrab | 1 year | $300 million dollars | 12.9 days |
NotPetya | $1.2 billion dollars | 51.4 days | |
Sony Attacks | $35 million dollars | 1.5 days | |
GozNym | ~3 years | $100 million dollars | 4.3 days |
CarbonBlack Acquisition | $2.1 billion dollars | 89.7 days | |
Maxed-out Tesla Model S | $114,990 | 425 seconds | |
Average Yearly Salary, Nigeria | 1 year | $15,463.68 USD | Less than 1 minute |
Average Yearly Salary, US | 1 year | $56,516 | Less than 4 minutes |
Why Acknowledging the Unknowns is So Unnerving
Beyond financial losses from cybercrime, there is the human toll. A ransomware attack striking a hospital could have dire consequences, including loss of life. But email fraud rings can be just as deadly. Suicide among email-based romance fraud victims, for instance, is hardly an isolated event, thanks to the emotional turmoil it causes—something we've documented in our own data.We've personally seen multiple instances in which lovelorn searchers fall prey to social engineering and end up in financial ruin, having to sell their homes, pull kids out of school, and more. All because of an online Mr. or Mrs. Wrong offering the love and affection so lacking in their victims' lives.
This is where the unknowns come in. While a total of 15,000 romance scams were identified in 2017, and another 18,000 in 2018, many more cases go unreported due to the social stigma that goes with falling for this form of fraud. How many more victims are there?
One Scam, a Web of Related Crimes
Over the last four years, we've learned that many fraudsters leverage accounts stolen through romance scams to launch BEC attacks. In fact, during the course of our investigation into the BEC crime ring Scattered Canary, we discovered previously unknown linkages between BEC and countless other cybercriminal activities.Since $26 billion in losses is already a hot mess, let's throw gasoline on the dumpster fire with a few more questions. How many lottery scam victims are there? How many phished login credentials have gone unnoticed, ready for exploitation in upcoming Vendor Email Compromise (VEC) schemes and other attacks?
How many W2 scams have BEC actors committed that went unreported or untracked? How many people have seen the information stolen in these and other attacks used to hijack their email accounts for use in other email con games? How many students or struggling seniors have unwittingly been recruited in work-from-home scams, tasked with sending fake checks to yet more victims? How many BEC incidents have been covered up, chalked up to the cost of doing business?
If these are just a few of the questions we're able to ask because of things we do know, what about the things we don't? Yes, $26 billion in known BEC losses is scary. But what don't know is absolutely terrifying.