BEC Attacks: Can You Stop the Imposters in Your Inbox?
If asked which of the threat types tracked by the FBI causes the most financial damage, most people would say ransomware.
They’d be wrong.
In 2021, the FBI’s Internet Crime Complaint Center (IC3) received 19,954 Business Email Compromise (BEC) reports, with adjusted losses totaling almost $2.4 billion. That’s an average of more than $120,270 per incident, compared with just under $13,200 per incident for ransomware attacks.
Since the FBI began tracking these threats in 2013, tens of billions in financial losses have been recorded, resulting from nearly 170,000 incidents in 178 countries.
So why hasn’t this threat risen to the notoriety of ransomware?
During many ransomware attacks, business operations grind to a halt. When a company loses access to customer information, payment systems and mission-critical applications, it often becomes clear in short order that something is wrong.
But BEC attacks are comparatively silent. Even when these attacks have a huge impact on an organization’s bottom line, operations can generally continue as usual. As a result, businesses frequently opt to keep these attacks out of the public eye to avoid risking reputation damage and loss of trust.
But although ransomware still dominates security news, the growing frequency, volume and cost of BEC attacks have begun attracting more attention.
As a result, BEC attacks have become a top threat concern for many organizations today, according to a recent SonicWall-sponsored white paper by Osterman Research. “How to Deal with Business Email Compromise” reports primary research data from an in-depth customer survey of 119 respondents, each of which has direct knowledge of how their organization is addressing or planning to address the risk of BEC.
The results from this study offer a look at how security influencers and decision-makers are taking BEC into account when formulating their spending plans for the next 12 months. For example, while just 46% of organizations said they considered protecting against BEC attacks “important” or “extremely important” 12 months ago, 76% said they considered it important or extremely important today.
Organizations indicating that protecting against BEC attacks in 2023 is of high importance
The data also shows that three-fifths of organizations in the study view protecting against BEC attacks as one of their top five security priorities.
Organizations ranking protecting against BEC attacks as one of their top five priorities.
How BEC Attacks Fly Under the Radar
But what makes BEC attacks so dangerous when compared with other forms of cyberattacks? And why are they harder to stop?
BEC is a specialized type of phishing attack that relies on social engineering. They often use a proven pretexting technique to engineer a quick introduction and establish a believable scenario in order to manipulate the victim to take a specific action.
While these attacks can target employees at any level of an organization, they generally start with an attacker impersonating a person with authority, such as a CEO or CFO, a manager, or a supplier. The attacker uses the authority figure’s identity to start a chain of plausible (but fake) requests to gain monetary payment. This typically involves instructing someone in accounts payable, someone in HR or even someone with a company credit card to pay a fake invoice, transfer funds, send gift cards or make payroll payouts. The urgent tone of these messages encourages the victim to respond or act quickly, bypassing any checks and balances that may be in place.
Compared with other forms of cyberattacks, BEC attacks are among the hardest to detect because the threat signals are far less obvious. Relying on trickery and impersonation, the approach is very subtle, and the actual delivery generally doesn’t use weaponized URLs or malicious attachments, which are easily detected.
In addition, the email content and the delivery mechanism are usually of higher quality and often tailored to target a specific person or persons. With little to no apparent sign of a threat, these messages can bypass most email security filters to reach the inbox — and the absence of any sort of alert, such as a contextual warning advising them to exercise caution, leaves the victim more vulnerable to falling for the scam.
Because so many of these scams are successful, their use has grown dramatically — today, roughly 80% of companies targeted by BEC attacks each year. While there isn’t much you can do to avoid being targeted, there’s plenty you can do to safeguard your organization’s finances. To learn more about BEC attacks and how to stop them, check out our webinar, “Can You Stop the Imposters in Your Inbox?”