64X greater damage than familiar data breaches
Ransomware is often top-of-mind when you discuss cybersecurity threats with just about anyone in any industry. The threat of having all your business data stripped away and held under virtual lock and key until a hefty ransom is paid can give many an executive a sleepless night. However, there is another form of subtler, yet even more pernicious cybersecurity attacks that is ranking even higher on the damage index when it comes to the toll it takes on an organization.
Business email compromise (BEC) scams are quickly gaining notoriety as a massive and growing threat that must be taken as seriously—if not more so—than ransomware. These sophisticated scams attempt to, as the name suggests, compromise a legitimate business email account through either social engineering or data breaches. Once this is accomplished, the account is often then used to convince victims to transfer funds from the business to the bad actor in play—though the account may be used for other purposes as well until the intrusion is detected.
How bad are BEC scams?
In 2021 alone, the FBI’s Internet Crime Complaint Center (IC3) received almost 20,000 Business Email Compromise (BEC) reports with a total collective loss of nearly $2.4 billion.1 That’s a big jump from the previous year, at $1.8 billion in business losses.
A successful BEC campaign costs, on average, $5.96 million per incident, including payouts, containment efforts, business revenue losses, and so on.2 This can reach a maximum cost of $8.12 million, with a payout to attackers averaging $1.17 million.
So while ransomware often dominates the headlines and creates a spectacle whenever it takes down another business, BEC attacks rank far higher in severity. In comparison to the BEC stats above, ransomware only received 3,729 complaints in 2021, with losses of $49.2 million.
In other words, BEC attacks are 64X worse than ransomware!
How does BEC work?
To defend against BEC, the best thing is to become aware of the different strategies cybercriminals use to perpetrate it. Phishing, for instance, is often used as an initial foray into trying to breach email accounts in order to enact a full BEC attack. Some of the more popular approaches and companies most coopted for phishing include:
- PayPal phishing
- Amazon phishing
- FedEx phishing
- LastPass phishing
- Walmart phishing
- Walgreens Phishing
- USAA phishing
Beyond phishing, attackers will generate emails, texts, or professional-looking messaging that impersonates a company executive, third-party vendor, or similar to contact colleagues or business partners and request fund transfers.
The success rate of BEC scams is so high because the email address being used is actually legitimate, and won’t raise nearly as many red flags by virtue of its source. Even people who are vigilant in detecting other scams can be taken in by a seemingly innocent and authorized message from a known person in the business. The intruder can also access personal profile information from the account in order to better masquerade as the original user.
Other tactics can include using a hijacked email account to spread malware further through a business network, extend the breach into the accounts of peers, partners, and third-parties, or steal sensitive data for other exploits. People are going so far as using Zoom meetings and deepfake avatars to impersonate the compromised user and give themselves even more legitimacy.
A plague on remote work
Unfortunately, organizations that have transitioned to more remote workforces are seeing themselves hit hardest by BEC attacks. One factor in this is simply the larger volume of email messaging used to facilitate virtual teams, making it easier to miss a suspicious email, especially if from a legitimate coworker the person is used to talking with on a frequent basis.
In the end, awareness training, and immediate reporting of any suspicious content or activity will be the primary steps companies can take in raising the alarm about BEC scams. These sophisticated and subtle attacks will continue to wreak havoc on organizations until better employee security training combined with email management policies are put in place, coupled with more effective anti-spam and authentication software. As with most cybersecurity threats, the human element remains any organization’s most vulnerable point.
- FBI, Internet Crime Complain Center Annual Report 2021, https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
- Ponemon, “Phishing costs have tripled since 2015,” https://ponemonsullivanreport.com/2021/08/ 2021