Business email compromise (BEC) is one of the most insidious and financially damaging online crimes, scamming roughly three times as many organizations as malware and slightly more than spear phishing, a new study said.
In a BEC scam, hackers send an email message that impersonates a known source making a legitimate request, such as a recognizable vendor sending an invoice with a new address. C-suite occupants are the favored targets but any employee can be tripped up by the ruse.
What makes BEC attacks so successful is the availability of basic personal information online that can be used against an employee to steal credentials for access to private data, said GreatHorn, a cloud email security provider, in its newly released 2021 Business Email Security Landscape Report based on information provided by 270 IT and cybersecurity professionals.
Business Email Compromise (BEC): More Research Findings
Of the study’s participants, 72 percent had been hit by a BEC attack in the past year, compared to 69 percent victimized by spear phishing and 24 percent infiltrated by malware. Nearly 50% of all BEC attacks result from the spoofing of an individual’s identity in the display name. Among those spear phishing emails, cyber criminals are also using company names (68%), names of individual targets (66%), and the name of boss/managers (53%) to conduct their attacks. Employees are particularly susceptible to clicking on malicious links after recognizing a familiar name or other relevant identifiers that could pertain to their job, GreatHorn said. Some 57 percent of respondents said that malicious links in phishing emails intend to steal credentials, giving cyber criminals full access to confidential information.
Not surprisingly, the pandemic-prompted turn to remote work has given BEC crews a gift of new attack surfaces, said Kevin O’Brien, GreatHorn chief executive. “Cyber criminals want the keys to the castle, which they achieve by stealing credentials,” he said. “To do so they often target C-suite and finance employees as they have the most privileged information available to access. However, no employee is immune to these attacks; they can appear in anyone’s inbox and all it takes is a momentary lapse in judgement from an unsuspecting party to compromise an organization’s security.”
When employees return to physical offices, real person interactions may help reduce the number of successful phishing attacks, officials said. People will be able to more accurately verify the legitimacy of an email, GreatHorn said.
Business Email Compromise (BEC): Statistics to Know
Some key findings from the report:
- 30% of organizations said that more than 50% of links received via email lead to a malicious site.
- 34% said finance-related employees are the most frequent victims of spear-phishing attempts.
- 43% of organizations have experienced a security incident in the last 12 months.
- 35% of organizations said that BEC/phishing attacks account for more than 50% of the incidents.
- 1 out of 4 organizations said that 76% - 100% of malware they detect is delivered via email.
- 39% of organizations experience spear phishing on a weekly basis.
- 65% of IT security pros said their organization has experienced spear phishing in 2021, while 51% say it has increased in the last 12 months.
- 69% of organizations are prepared to handle a cyber attack, and 71% believe their employees are prepared to identify a malicious email.