Despite the headline-grabbing multi-million dollar (or even larger) ransom demands, ransomware may not be the costliest cybercrime. Business e-mail compromise (BEC) is a less-publicized but potentially more lucrative way for criminals to digitally steal money.
First, a warning that statistics on criminal endeavors—whether ransomware (or related extortion), or BEC and related frauds—are very difficult. With BEC, there’s no ransom demand. Attackers get unauthorized access to a legitimate business e-mail account and use it to send fake invoices to that businesses’ real customers.
In other words, falling victim to a BEC-like fraud has a more passive victimization: a fraud is clearly perpetuated against the victim. The victims simply made a mistake of trusting whom they shouldn’t. This is emotionally, reputationally, and legally, far less risky than making the active choice to pay a ransom demand. As a result, BEC and related frauds may be more likely to be reported than ransomware-like extortion, which is commonly believed to be vastly underreported by information security professionals.
So why is there discussion about BEC being more costly to organizations than ransomware? “In the US, the Federal Bureau of Investigation has repeatedly found that total money stolen in BEC scams far exceeds that pilfered in ransomware attacks,” researcher Crane Hassold says in The Hacker Gold Rush That’s Poised to Eclipse Ransomware. Hassold is willing to go so far as to predict that ransomware will become less common as criminals go for the easier payday.
While this makes for a provocative headline, whether or not ransomware attacks are actually slowing down depends on who you ask. This article—Ransomware attacks have dropped. And gangs are attacking each other's victims—noted that cybersecurity firm KELA published a report “suggesting that the number of significant ransomware victims dropped by approximately 40%” from Q1 to Q4 of 2021. But KELA appears to be in a minority, with Sophos and Zscaler also releasing recent research that continues to show rising numbers of attacks, especially in the health care sector.