The Federal Bureau of Investigation is warning that business email scams are on the rise, despite the fact that hackers continue to use a variation of the same playbook every year.
Last year, 23,775 business email scams were reported, amounting to $1.7 billion in losses of both money and time, according to the FBI’s 2019 Internet Crime Report that was released this week. That’s a significant uptick from the $1.2 billion in losses and 20,373 reports made in 2018.
It all starts with an email that appears legitimate: A company employee emails HR to ask that their direct deposit details are changed before payday, or a vendor asks for invoice payments to be made to a new account. The money instead goes to a pre-paid card account, where the hacker can access the windfall. Hackers have also been known to target individuals through spoofed emails, posing as an authority and requesting they purchase giftcards for personal or business reasons.
Donna Gregory, chief of the FBI’s Internet Crime Complaint Center, known as IC3, said criminals aren’t focusing on new scams and are instead getting better at executing on old tricks.
“Criminals are getting so sophisticated,” Gregory said in a statement. “It is getting harder and harder for victims to spot the red flags and tell real from fake.”
The FBI report referred to the business email compromise trick as a “trending” scam, and for good reason. The FBI’s Internet Crime Complaint Center received 467,000 complaints last year about cyber crime, ranging from business scams to romance scams to lottery scams, for a total of $3.5 billion in losses.
While the business email scam accounts for just 5% of those reports, its losses of $1.7 billion show how it’s among the most lucrative scams for hackers.
It’s not just about the financial value that is lost, but businesses also lose valuable time reporting and managing the clean-up after they’ve been scammed.
“I think there is certainly some shame and embarrassment associated with it, but more companies are realizing they need to take action” and report these crimes, Kevin Lee, and Internet fraud expert, and trust and safety architect at security company Sift, told Fortune.
“Businesses are stuck between a rock and a hard spot when it comes to these bad actors,” he said.
The good news is that the FBI is getting even better at tracking down criminals and, in some cases, recouping money from scammers. Last year, the FBI’s Recovery Asset Team helped to get back more than $300 million for cyber crime victims by working with financial institutions.
In a February 2019 case, an unidentified business victim was duped by a spoofed email to wire funds to a fraudulent bank account in Florida. The FBI worked with the bank to freeze the funds. When the scammer tried to withdraw the money, they were asked to show documents to prove why they received the money. When the account holder was unable to offer proof, they were arrested by Fort Lauderdale, Fla. police.
Lee, the Internet fraud expert, said 2019 was another “banner year” for cybercrime, but 2020 will likely be even bigger. Companies can educate employees, use two-factor authentication and automated security software to mitigate threats, but nothing will ever be foolproof. That’s why increased reporting is so important.
“We aren’t dealing with theoretical stuff anymore. You see it in the news all the time. Part of it is social responsibility,” he said. “From a reporting standpoint, there is more diligence there when something is wrong. Companies are raising their hand.”
More must-read stories from Fortune:
—The strange tale of Jeff Bezos’s $16,840 parking ticket bill
—Post-Brexit U.K.’s surveillance practices could spell problems for business
—Governments deploy surveillance tech to track coronavirus victims
—How marketers are increasingly using A.I. to persuade you to buy
—Predicting the biggest tech headlines of 2020
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.
