Counting the Real Cost of Business Email Compromise: $12.5B and Rising

BEC phishing often means scammers trying to 'hook' your credit card information

Business email compromise (BEC) continues to cost businesses enormous amounts of money — and it’s only getting worse.

BEC is a broad class of email attacks in which fraudsters use email to deceive recipients into sending them money or financial equivalents like gift cards.

Examples are not hard to find. Just in the past week, email scammers swindled a Catholic church out of $1.75 million by pretending to be a construction firm. A New Jersey man recently pleaded guilty for his role in an email fraud scheme that bilked victims out of $1 million. And authorities arrested nine people in Florida, New York, and Texas in connection with a $3.5 million BEC scam.

In fact, the U.S. Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) recently issued a report on BEC and other financial crimes that shows just how rapidly BEC losses have been growing.

According to the FBI report, the IC3 received 20,373 BEC complaints with total BEC losses exceeding $1.2 billion during 2018.

BEC was one of the largest types of cybercrime reported to the IC3 in 2018. The total of reported cybercrime losses was $2.71 billion, or almost twice the previous year’s total of $1.4 billion in cybercrime losses.

However, those numbers are dwarfed by the FBI’s estimate of the total amount of BEC losses, including unreported losses as well as those reported to the IC3.

According to an advisory issued by the FBI in July, 2018, the cumulative total of estimated BEC losses stood at $12.5 billion from late 2013 through mid 2018. An earlier report on BEC put it at $5.3 billion through 2016, so BEC fraud added more than $7 billion in losses in just 18 months.

To compare the figures, just look at this chart. The red line shows the amount of cybercrime losses reported to the IC3 for each year from 2014 through 2018. The pink columns show the cumulative totals to date for BEC alone, including the FBI’s estimates of unreported losses.

Chart comparing IC3 reported cybercrime losses vs. estimated total BEC losses

As you can see, BEC losses are enormous. If total BEC losses are growing as rapidly as reports to the IC3, we can expect a new estimate of total BEC losses from the FBI later in 2019 — and it’s probably going to be a lot larger than the $12.5 billion estimate from last year.

Dylan Tweney is the VP of research and communications for Valimail. Formerly, Dylan was the founder of Tweney Media, a content-driven communications agency, whose clients included Samsung, Korn Ferry International, Upwork, YL Ventures, Bloomberg Beta, and Valimail.

Previous to that, he was the editor-in-chief of VentureBeat (2011-2015) and a senior editor at Wired (2007-2011).