Threat Management, Incident Response, TDR

IC3 report: Criminals use email scams to steal $263M from U.S. companies

A report published by the Internet Crime Complaint Center (IC3) stated U.S. companies lost $263 million as a result of cybercriminal groups' email scams in 2015.

The report noted that email scams, referred to as “Business Email Compromise” (BEC), caused the most significant losses for U.S. companies. The Federal Bureau of Investigation received 7,838 BEC complaints with losses of over $263 million. The IC3 report defines BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.”

The fraudulent attacks included “spoofed emails, intercepted facsimiles, or telephone communications to redirect invoice remittance payments,” the report noted. “Fraudulent transfers have gone through accounts in many countries, with a large majority traveling through Asia.”

Wandera VP of product Michael Covington noted a rise in sophisticated attacks such as those that impersonate mobile devices and man-in-the-middle attacks.

“We have started to see attacks against mobile platforms that allow hackers to impersonate another mobile device.  This allows them to spoof calls so they appear to be either from an organization or a specific individual,” he wrote in an email to SCMagazine.com.

“Even more alarming is the fact that hackers are also starting to hijack the Wi-Fi infrastructure and use it to act as a man-in-the-middle between certain devices and Internet services.  With these capabilities, attackers are doing far more than just spoofing e-mails -- they have the ability to fully control all communications and electronic actions originating from an individual.”

“This report emphasizes the importance around validation. People should confirm the source of a directive or transaction before moving money,” wrote Ann Barron-DiCamillo, CTO at Strategic Cyber Ventures, and former director of the Department of Homeland Security's U.S. Computer Emergency (US-CERT), in an email sent to SCMagazine.com. “Traditional criminals are now using cyber for their conspiracies/transactions - I would think those numbers are actually much higher as only a small percentage of cases are actually reported.”

Similar attacks targeting clients of financial institutions, real estate firms, and law firms – referred to as “Email Account Compromise” (EAC) – accounted for more than $11 million in losses.

While the IC3 is a task force comprised of the FBI, the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance, the IC3 report contains only data on complaints received by the FBI, wrote Leo Taddeo, CSO of Cryptzone and a former special agent in charge of cyber/special operations division of the FBI's New York field office, in an email to SCMagazine.com.

“The result is an incomplete picture of the cyber crime problem and a disjointed framework for addressing it,” Taddeo wrote. “Until we get a more complete picture of the nature and the size of the problem, we will not be able to develop effective strategies to combat it.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.