Much like in 2020, the FBI's newly released cybercrime statistics for 2021 show that business email compromise is far and away the largest digital crime. The numbers are not close, and have not been close since it first became the dominant form of online crime tracked by the bureau's Internet Crime Complaint Center (IC3) in 2015.
Yet, if you asked most people what their largest crime concern was, they would likely say ransomware. The visibility gap is substantial.
The FBI fielded reports of nearly $2.4 billion in victim loss to BEC scams in 2021. That was 49 times as much as ransomware's yield reported to the FBI ($49.2 million), and more than a third of total cyber crime ($6.9 billion).
"Ransomware is obviously going to be more publicly visible simply because it has an impact on things like supply chains or the gas pump," said Crane Hassold, director of threat analysis at email-focused Abnormal Security and a former FBI analyst. "Obviously, some of the big ransomware attacks that we saw last year, whether it's Colonial Pipeline or JBS, had those ripple effects whereas most BEC attacks the public doesn't know [about], unless they're part of a big lawsuit."
The FBI has noted in the past that ransomware is probably under reported. Chanalysis estimates based on data from criminal cryptocurrency wallets that the global ransomware market stands in the mid-hundreds of millions of dollars. Even assuming that BEC isn't underreported (and there is no reason to do that) BEC is still a substantially larger crime.
While the criminal groups associated with BEC rake in just under the gross domestic product of Bhutan each year from those scams, they are often diversified into other cybercriminal enterprises. The pejorative name for email scams is Nigerian scams. And while Nigeria has made concerted efforts in recent years to clean up the criminal rings behind that reputation, many if not most still operate out of West Africa.
"The same actors that are doing BEC are usually going to be the same ones that are doing things like romance scams or employment fraud, or inheritance fraud, advance fee fraud," said Hassold. "And so when you add all of that together, more than half of all financial loss can be attributed to this one area."
The victim loss may not tell the entire story behind the impact of the attack. As Hassold noted, the downstream effects of ransomware have included everything from the hoarding of gasoline to the temporary shuttering of freight shipping firms. But the impact to victims can range to the extreme. In 2017, Tillage Commodities Management lost more than half its capital to such cybercrime, and was then fined an additional $150,000 for failing to protect its assets.
"Each one of these attacks is causing six-figure losses, which has been growing year over year. For larger companies, this should get much more attention than it has in the past," said Hassold.