Last week the FBI released their Internet Crime Report 2020. They recorded a 69% increase in the total number of complaints received compared to 2019, and reported losses in 2020 exceeded $4.2 billion.
The report focused on more than 30 different types of cybercrime that were reported to the FBI over the past year. Here are some of the key trends from the report:
Business email compromise (BEC) attacks are on the rise
BEC attacks have been among the fastest-growing and most damaging email attacks in recent years. Typically, hackers take on the identity of an employee within an organization to trick others into sending money to a fraudulent account.
Unsurprisingly, BEC attacks remain the costliest attacks reported to the FBI. Organizations reported around $1.8 billion in losses. On average, that’s over $90,000 in losses per complaint, but some of these attacks may end up costing millions. One of the most expensive BEC scams we’ve seen recently is this attack on Norfund, which cost that organization $10 million.
Over the past few years, we have seen a steady increase of BEC attacks. In March 2019, we reported that 7% of all spear-phishing attacks could be classified as BEC. Today, that number has increased to 12%. This fast-growing trend reflects how successful this type of attack can be for cybercriminals. The attacks have also evolved over the years, becoming more complex and increasingly challenging to detect.
Hackers took advantage of COVID-related scams
Back in March 2020, Barracuda reported a 667% increase in the COVID-related phishing attacks targeting organizations. The FBI received over 28,500 complaints related to COVID-19 last year.
Hackers targeted the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which included aid to both business and individuals. Attackers tricked their victims into disclosing personal information and then used it to in loan fraud or to submit fraudulent unemployment applications.“Unfortunately, criminals are very opportunistic. They see a vulnerable population out there that they can prey upon.”, @ FBI Section Chief Steven Merrill, Financial Crimes Section. #BEC #EmailSecClick To Tweet
Later in the year, we saw a second wave of COVID-related fraud focusing on vaccines. After pharmaceutical companies like Pfizer and Moderna announced the availability of vaccines in November 2020, the number of vaccine-related spear-phishing attacks increased by 12%. By the end of January, the average number of vaccine-related spear-phishing attacks was up 26% since October.
Sadly, hackers are very opportunistic in the type of organizations they choose to target. For example, losses to healthcare-related scams — attacks that aim to defraud government or private healthcare programs — have increased from $1.1 million in 2019 to $29 million in 2020
How to protect your organization and employees
- Educate your users by investing in regular security training to improve awareness of the latest threats. Make sure your employees can not only identify these attacks but that they also know where to report them. Test effectiveness of your training on a regular basis through simulation attacks and adjust accordingly.
- Invest in dedicated protection against impersonation and BEC attacks that doesn't rely solely on looking for malicious links or attachments. Using machine learning to analyze normal communication patterns within your organization allows the solution to spot anomalies that may indicate an attack.
- Set up strong internal policies to prevent fraud. All companies should establish and regularly review existing policies to ensure that personal and financial information is handled properly. Help employees avoid making costly mistakes by creating guidelines and putting procedures in place to confirm all email requests for wire transfers and payment changes. Require in-person or telephone confirmation and/or approval from multiple people for all financial transactions.
Barracuda offers best-in-class email protection. Visit www.barracuda.com for more information.
Olesia Klevchuk is a Senior Product Marketing Manager for email security at Barracuda Networks. In her role, she focuses on defining how organizations can protect themselves against advanced email threats, spear phishing and account takeover. Prior to Barracuda Olesia worked in email security, brand protection and IT research.