top of page

Welcome to Crime and Justice News

'Business Email Compromise' Losses Far Outpace Ransomware

A kind of cybercrime called “business email compromise" (BEC) is on the rise. Criminals pose as someone a victim trusts, such as their company’s CEO, sometimes by hacking them and taking over their email. The criminals send an urgent message to transfer money, which they then pilfer. BEC regularly tops the FBI’s annual list of costliest internet crimes. In 2021, BEC accounted for about one third of the year’s $6.9 billion in cyber losses — around $2.4 billion, the Washington Post reports. Ransomware lagged behind with just $50 million. An FBI alert said the amount of BEC losses and attempted theft increased as a result of the COVID-19 pandemic, which forced companies to conduct more business virtually. During the second quarter of this year, cybersecurity company Arctic Wolf said the rate of BEC cases it responded to doubled, from 17 percent to 34 percent. BEC is a cybercrime that thrives on volume. “We end up with a situation that is really death by 1,000 papercuts,” said Pete Renals of Palo Alto Networks’ Unit 42, said. Most of what BEC criminals do is “really easy,” and the techniques have been honed over time such that “they’re really just rinsing and repeating at this stage of BEC evolution,” said Ryan Kalember of Proofpoint, said.

It’s not hard to deploy malware that steals access to accounts and sends an email to a victim from that compromised account. Criminals also don’t have to target big companies to be effective, Kalember said. Daniel Thanos of Arctic Wolf Labs, said cybercrime takes advantage of people's sensibilities because they respond to urgency. In cybercrime, criminals are crafty about making the emails look authentic, sometimes using information they found on social media to tailor their messages, Thanos said. Unlike other cyber-related crimes, the victims don’t always know they’ve been hit until much later By the time someone realizes they’ve been scammed by a BEC criminal, the money’s usually long gone. BEC is made up of smaller heists that add up over time which are also less likely to make news. Many thefts might not even get reported. That’s because being the victim of a BEC scam is potentially more embarrassing than suffering a ransomware attack, Renals said. “With business email compromise … that is a very embarrassing story to say, ‘Hey, I got an email from the CEO that told me to transfer money and I did it.’ Nobody wants to own up to that because there’s more of a human aspect there.”


Recent Posts

See All


A daily report co-sponsored by Arizona State University, Criminal Justice Journalists, and the National Criminal Justice Association

bottom of page