HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

$301 Million Lost to BEC Attacks Each Month

Figures released by the Treasury Department show a steady rise in business email compromise (BEC) attacks over the past two years. More than twice the number of successful BEC attacks were reported in 2018 than 2016 and losses to these scams are skyrocketing.

Business email compromise – BEC – is the name given to a type of an email impersonation attack. It typically involves the impersonation of the CEO or another figure of authority in the organization. Those individuals are usually targeted with spear phishing emails and are directed to phishing websites or tricked into downloading malware that steals their email credentials.

The compromised email account is then used to send specially crafted messages to individuals in the organization who have the authority to make wire transfer payments, reroute payments, or change payroll information. BEC scams are becoming increasingly sophisticated and cybercriminal gangs are investing heavily in their operations due to the huge potential returns.

The Treasury Department Financial Crimes Enforcement Network report revealed an average of 1,100 business email compromise scams were reported by businesses every month in 2018. In 2016, an average of 500 BEC attacks were reported each month.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The number of attacks has more than doubled, but the losses to BEC attacks have almost tripled. In 2016, $110 million a month was lost to BEC scams. In 2018, average monthly losses to BEC attacks rose to $301 million.

The Treasury Department report paints an even bleaker picture than the FBI’s figures. In April, the FBI’s released its Internet Crime Report which showed losses to BEC attacks had doubled between 2017 and 2018. Annual losses to BEC scams, calculated from reports to its Internet Crime Compliant Center, were estimated to be $1.2 billion. The Treasury Department’s figures suggest the total annual losses to BEC attacks is actually three times higher – $3.6 billion.

The report also highlights how cybercriminals’ tactics are changing. In 2016, BEC attacks mostly involved impersonating the CEO or another high-ranking leader such as the CFO. In 2017, 33% of BEC attacks impersonated the CEO or another leader. In 2018, just 12% of BEC attacks impersonated the CEO.

Last year, 20% of attacks involved the impersonation of an outside entity and 39% of attacks involved the impersonation of a business associate or vendor. 41% of all fraudulent transactions in 2018 were related to fraudulent vendor invoices.

Transaction amounts are also increasing. When vendors are impersonated, the average transaction amount is $125,439. The average transaction amount in CEO impersonation attacks is $50,373.

BEC attacks are performed on all industry sectors, although attacks tend to concentrate on the construction and manufacturing industries. A quarter of all BEC attack were reported by companies in those industry sectors. The real estate industry is also heavily being targeted, and attacks on healthcare organizations are also common.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.