FBI says business email theft is now a $43 billion scam

Good morning,

Last week the FBI reported that the amount of money lost to business email compromise (BEC) scams continues to grow each year, with a 65% increase in the identified global exposed losses between July 2019 and December 2021, translating to a total exposed dollar loss of $43,312,749,946.

What is Business Email Compromise (BEC) and why should I care?

BEC scammers employ various tactics such as  social engineering, phishing, and hacking to compromise business email accounts which are then get used to redirect payments to attacker-controlled bank accounts. Crooks target small to  large businesses, institutions, non-profits and middle class individuals – nobody is beyond their reach.

Why care? The success rate for BEC scams is very high. They usually impersonate someone who has the target’s trust, such as business partners or company executives. Often by the time we get the phone call, the funds are long-gone.

The numbers don’t lie. Have a look at the chart below from the FBI’s recently released 2021 Internet Crime Report:


Who are these scammers?

The FBI reported that banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds. China, which had ranked in the top two destinations in previous years, fell to 3rd place, followed by Mexico and Singapore.

The Takeaway

The FBI has provided guidance on how to defend against BEC scammers:

  1. Use secondary channels or two-factor authentication to verify requests for changes in account information. Don’t assume that the email in your inbox urgently asking for money is legitimate. Call to confirm.

  2. Ensure the URL in emails is associated with the business/individual it claims to be from. It could be just one letter off.

  3. Be alert to hyperlinks within email messages that may contain misspellings of the actual domain name. Rolling over them with your mouse or tap and hold with your phone will show the url.

  4. Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.

  5. Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.

  6. Monitor your financial accounts on a regular basis for irregularities, such as missing deposits.

The FBI advises those who fall victim to BEC fraud to immediately reach out to their bank to request a recall of funds.

They’ve also urged victims to file a complaint with the FBI at BEC.ic3.gov, regardless of the lost amount as soon as possible.

Also, we were featured in a webinar from Proservice that included this topic:

Cybersecurity & Must Do’s for Hawaii Employers

As a panelist, we discussed and shared real world lessons and free resources obtained from the battlefield of real-world cyberattacks on local businesses. There was actually so much content that we ran out of time.

The recording, slide deck and links to resources are all available to you here for free, courtesy of ProService.

Click to view


As always, a pleasure to be of service to the community.

Stay safe out there.

-A