Hackers Use More Sophisticated Scams to Drive Costly Data Breaches, Analysis Finds

sesame/Getty Images

Criminals are using more sophisticated methods, including virtual meeting services, to take advantage of compromised business emails and accounts for financial gain.

Data breaches targeting business emails are the most financially lucrative for criminals, costing victims more than $7.5 billion from 2017-2021, according to a five-year analysis of data from the FBI's Internet Crime Complaint Center—or IC3—conducted by Forbes Advisor.

These reported breaches included both business email compromises and email account compromises—BECs/EACs—and impacted 94,814 victims in total over the reviewed time period. 

According to the IC3’s 2021 Internet Crime Report, BEC/EAC scams continue to evolve as criminals become more sophisticated in response to preventative cybersecurity measures. Rather than just spoofing email addresses and asking recipients to wire funds to bank accounts, fraudsters are now using third-party platforms to add a veneer of legitimacy to their requests after compromising email accounts.  

“These schemes historically involved compromised vendor emails, requests for W-2 information, targeting of the real estate sector and fraudulent requests for large amounts of gift cards,” the IC3 report said. “Now, fraudsters are using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers.”

IC3 attributed the rise in BEC/EAC data breaches through virtual meeting services to the increase in teleworking, as a result of the coronavirus pandemic. By compromising the email accounts of senior staffers who would typically request employees to participate in virtual meetings, criminals were able to deceive employees into sending them money.

“In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a “deep fake” audio through which fraudsters, acting as business executives, would then claim their audio/video was not working properly,” the IC3 report said. “The fraudsters would then use the virtual meeting platforms to directly instruct employees to initiate wire transfers or use the executives’ compromised email to provide wiring instructions.”

The IC3 report noted that these fraudulently obtained funds are “often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult.” 

From 2017-2021, the Forbes Advisor analysis found that data breaches impacted more than 2 million Americans and resulted in almost $20 billion in financial losses. While these breaches happened all across the country, California residents suffered the most data breaches over the five-year period, with a reported total of 325,291 victims losing more than $3.7 billion. Almost one-third of the money stolen from data breach victims in California, approximately $1.2 billion, came from compromised business emails and email accounts.