Scammers use DocuSign API to send fraudulent invoices
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
The FBI’s Internet Crime Complaint Center (IC3) has just revealed that cybercriminals hit Americans harder than ever last year, causing record losses of $12.5 billion. That’s a whopping 22% increase from 2022’s already dizzying total.
According to its latest Internet Crime Report, IC3 says it received over 880,000 cybercrime complaints in 2023, up 10% from the prior year. Both financial losses and cybercrime complaints have risen year-over-year since 2019, painting a grim picture of a threat that’s rapidly escalating.
Let’s look at the four biggest culprits according to the IC3.
This type of scam tactic, one that’s frequently used against finance and accounts payable (AP) teams, was the second costliest type of cybercrime. BEC scams target both businesses and individuals by compromising legitimate email accounts through hacking or social engineering tactics.
Once they gain access, fraudsters impersonate trusted vendors, executives or colleagues to trick employees into making unauthorized transfers of funds. Common BEC tactics include requests for:
Among Eftsure’s database, we’ve seen increasingly sophisticated BEC tactics, including malicious actors infiltrating both the target organization and its vendor. From there, they’ll construct lengthy, organic-looking email chains and communications. AI is turbo-charging these tactics, with invoice swapper tools helping scammers scale their efforts and complex deepfakes deceiving staff into making fraudulent payments.
In 2023, the FBI logged 21,489 BEC complaints totaling over $2.9 billion in losses. But what’s especially concerning is how tactics are evolving. Last year, scammers began dispersing stolen money through cryptocurrency exchanges and third-party payment processors more frequently. By having targeted individuals send funds directly to these platforms, the money can be quickly cashed out before theft is detected.
With BEC actors adopting these harder-to-trace methods, the FBI stresses that using multi-factor authentication to secure accounts is now vital. Organizations should also implement procedures to independently verify any payment or purchase requests outside of email. The more layers of verification you require, the lower your risks – and the right processes and tech solutions can help standardise these additional layers without compromising team efficiency or productivity.
For instance, additional verification might include calling known or independently sourced numbers (that is, numbers that are not listed in the potentially compromised email) to authenticate requests. Other best practices include carefully examining email addresses, URLs and spelling for any red flags before clicking links or responding.
While BECs might be a more urgent risk for organizations and their finance teams, investment scams still topped the overall list as the costliest cybercrime in 2023. With crypto scams up 53% and accounting for $3.94 billion in losses, investment fraud took a massive $4.57 billion toll. Tactics like fake websites and “pump and dump” stock manipulation fueled this crime category’s 38% overall increase.
Ransomware remained a potent threat in 2023, with incidents rising 18% over 2022 levels according to 2,825 complaints received by the FBI. While slightly fewer cases than the peak levels seen in 2021, reported losses jumped a staggering 74% to over $59.6 million.
Ransomware is a particularly insidious form of malware that encrypts an organization’s data, rendering it completely unusable. Criminals then demand payment to provide a decryption key and restore access. Increasingly, ransomware gangs also steal sensitive data and threaten to publicly leak it if their ransom isn’t paid.
The rise in losses reflects how ruthlessly these cybercriminal groups have escalated tactics. The FBI has observed deploying multiple strains of ransomware against single victims, as well as using destructive data-wiping malware to increase pressure on organizations to pay up.
No sector was safe from ransomware’s crosshairs in 2023. Out of 16 nationally critical infrastructure categories, 14 had members hit by ransomware incidents last year according to the FBI. Some of the most prevalent strains included LockBit, ALPHV/BlackCat, Akira, Royal and Black Basta.
While $59.6 million in reported losses is staggering, it likely only scratches the surface. Many organizations choose not to disclose ransomware incidents, so the true total is almost certainly far higher.
Posing as legitimate companies, fraudsters scared victims into paying for bogus computer repair services. This widespread scheme disproportionately targeted older adults, leading to over $1.3 billion in losses.
These grim totals represent only known cybercrime losses reported to the FBI – the actual scope is undoubtedly much larger. Many incidents go undetected or unreported each year.
While the losses seem bleak, there were victories too. The FBI’s Recovery Asset Team (RAT) works with financial institutions to trace and freeze funds stolen through cybercrime.
In 2023 alone, RAT recovered a whopping $50 million lost in a major BEC scam by a New York organization. They also clawed back a $426,000 BEC theft targeting a Connecticut company and froze nearly $45 million tied to various internet crimes.
Still, many losses go unrecovered, and the risks for organizations aren’t just financial. Falling victim to scams or cybercrime also carries serious operational and reputational risks, not to mention damaged relationships with customers or vendors.
Fortunately, there are steps leaders can take to lower those risks. There’s no single panacea, of course – in fact, leaders will need to look for multi-faceted solutions that encompass everything from the right culture to the right processes. In general, there are three main areas to consider.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
US construction and government sectors lost $7.7 million in BEC scams. Learn how fraudsters exploited financial controls and how finance leaders can protect their organisations.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.