May 09, 2023

FBI and AFP Reports Warn Business Email Compromise Remains a Threat


Michael W. Kahn

Michael W. Kahn


image of suspicious email on a smartphone

Two recent reports spotlight the fact that fraudsters remain hard at work, and that vigilance remains an absolute must.

First, the FBI’s 2022 Internet Crime Report, released this year, shows business email compromise (BEC) “has evolved from simple hacking or spoofing of business and personal email accounts and a request to send wire payments to fraudulent bank accounts.” 

“More recently, fraudsters are more frequently utilizing custodial accounts held at financial institutions for cryptocurrency exchanges, or having victims send funds directly to cryptocurrency platforms where funds are quickly dispersed,” the report said. 

Additionally, the FBI found “an increasingly prevalent tactic by BEC bad actors of spoofing legitimate business phone numbers to confirm fraudulent banking details with victims.”

“With this increased tactic of ‘spoofed’ phone numbers it emphasizes the importance of leveraging two-factor or multi-factor authentication as an additional security layer,” the report said.

The FBI’s Internet Crime Complaint Center (IC3) received 21,832 BEC complaints last year, with losses exceeding $2.7 billion. Those are respective increases of 9.4% and 12.5% from 2021. 

Ransomware attacks fell 36%, with losses down 30%. But Timothy Langan, FBI Executive Assistant Director, said to take that with a grain of salt.

“While the number of reported ransomware incidents has decreased, we know not everyone who has experienced a ransomware incident has reported to the IC3. As such, we assess ransomware remains a serious threat to the public and to our economy,” Langan wrote in the report.

Overall, in 2022 IC3 received 800,944 complaints of cybercrimes, a 5% decrease from 2021. “However, the potential total loss has grown from $6.9 billion in 2021 to more than $10.2 billion in 2022,” Langan noted.

Meanwhile, the Association for Financial Professionals (AFP) recently released its 2023 Payments Fraud and Control Survey Report, which found checks continue to be the most vulnerable payment method.

According to AFP, 63% of respondents said their organization faced attempted or actual check fraud last year. While that number is down slightly, the report said a contributing factor is the shift from checks to electronic for business-to-business (B2B) payments. Nacha earlier reported an 11.8% increase in B2B volume on the ACH Network from 2021 to 2022. 

Checks were by far the payment type most subject to fraud, with corporate/commercial credit cards at distant second at 36%, followed by wire transfers at 31%, and ACH debits and credits at 30% each. 

The AFP report also provided evidence that BEC remains a problem, with 71% of organizations experienced an attempted or actual BEC attack in 2022. That’s up 3 percentage points from 2021, but still off the 2018 high mark of 80%. 

Overall, AFP found 65% of organizations were victims of either attempted or actual fraud activity, which it said is the smallest percentage since 2014. “Although this figure is lower than fraud reported in recent years, it is still a significant share with two out of three companies continuing to be victims of fraud attacks,” the report pointed out.

Of companies with annual revenue of at least $1 billion and fewer than 26 accounts, AFP said 58% had ACH credits targeted by fraudsters. That highlights the shift toward credit-push fraud, which is the focus of Nacha’s new Risk Management Framework for the Era of Credit-Push Fraud, which is available as a free PDF download.