Losses from business email compromise scams increased 65% from 2016 to 2021, according to the FBI. Pictured: Workers prepare a presentation of advanced email at the CeBIT 2012 technology trade fair on March 5, 2012, in Hanover, Germany. (Photo by Sean Gallup/Getty Images)

Long the bane of the financial industry, business email compromise (BEC) is getting worse, as savvy cybercriminals find sly new avenues to make their fraudulent requests appear believable.

BEC scams jumped a whopping 65% to a total of $43 billion in losses worldwide in just five years, from 2016 to 2021, according to a public service announcement and report released by the FBI late last week. The findings are based on data and complaints from Internet Crime Complaint Center (IC3) data and complaints, which IC3 has been compiling since October 2013. While virtually all forms of cybercrime have risen in recent months, the advanced approaches and level of loss from BEC concerns industry on-lookers.

“The latest report from the FBI on business email compromise is disturbing, but not surprising,” said Gary McAlum, senior analyst for TAG Cyber. “BEC is just another form of social engineering that has increasingly become more sophisticated and profitable over time, quickly outpacing email security systems and employee training programs.”

As online thieves have leveled up, BEC scams have become the “costliest cyberattacks,” according to the IC3’s research. More advanced scam artists are using deep fake voice technology, web site-spoofing, fraudulent social media and employee profiles to support their phishing emails and make them appear more believable, according to Tari Schreider, strategic advisor for Aite Novarica.

“Fraudsters perpetrate BEC scams based on illusion ... that can be months in the making to trick a company executive into believing the financial request to wire money is legitimate,” Schreider said, adding that it typically begins with bad actors infiltrating a company’s network and creating fake receivable accounts.

“Deep fakes can be used to synthetically create a voice impersonation of the executive to confirm payment authorization,” Schreider said. “Next, fake but very real-looking businesses can be created, including websites, LinkedIn accounts, employee profiles, phone numbers. ... Once all the components of the cyber-grift are in place, it is executed.”

IC3 also reported the percentage of cryptocurrency-based complaints and losses increased significantly in 2021, with cybercriminals opting to request funds in the form of cryptocurrency because these transactions can occur quickly and tend to lack an audit trail. Cybercriminals have stolen cryptocurrency through both direct transfers to a crypto-exchange or an indirect or “second hop” transfer to an exchange, according to the IC3’s findings.

Many so-called cyber-grifters are pushing the boundaries of traditional BEC schemes, which tend to target businesses and individuals in finance, payroll or accounts payable who often respond to funds-transfer requests. The IC3 research found that these scams often incorporate more social engineering, as well as hijacking or mimicking legitimate business email accounts. The IC3 also noted that bad actors might acquire employee PII or tax information to add realism to their requests.

However, perhaps most troubling is that BEC seems to be flourishing largely under the radar because it has been (and continues to be) so tough to pinpoint, even after the fact. Although any phishing attack can do a great deal of harm, “they are not all created equally,” according to Patrick Sweeney, global head of Cloudflare Area 1 Security.

While BEC may not be splashed across mainstream news reports as frequently as ransomware, “BEC attacks are very difficult to detect because they are not as blatant as clicking on a suspicious link, nor do they usually have any payload to identify,” Sweeney said.

“In fact, BECs utilize trust that you have already established with outside institutions,” he concluded. “They create very low signals that don’t typically rise to the top of a defender’s alert list, and tend to blend in with the usual noise of corporate email traffic.”