Cyber attackers are increasingly using social engineering tactics to lure employees into opening malicious emails and being tricked into providing login credentials, updating bank account information and paying fraudulent invoices, Abnormal Security, an email security provider, said in a new study.
Most Email Attacks Go Unreported
The median open rate of text-based business email compromise ruses was roughly 28% in the period July-December 2022. Of the emails that were read, about 15% were replied to, Abnormal said. While less than 1% of email recipients engaged with more than one attack, 36% of replies were initiated by employees who had engaged with an earlier attack.
In perhaps the most important finding of the study, 98% of attacks are not reported to the organization’s security team.
The volume of BEC attacks is spiking, most likely because it works. Over the past two halves, BEC attack volume grew by more than 81%, and over the past two years, it increased by 175%, Abnormal said.
As Crane Hassold, director of threat intelligence at Abnormal, explained:
“Human beings are relatively easy to manipulate, and employers’ expectations regarding the ability of the average employee to identify these modern attacks are far too high. It is much safer to prevent a threat from reaching an employee’s inbox than to rely on them to try to detect these sophisticated attacks on their own.”
More From the Report
Additional findings from the report include:
- Only 2.1% of known attacks are reported to the security team by employees, and 84% of employee reports to phishing mailboxes are either safe emails or graymail.
- Employees in entry-level sales roles with titles like sales associate and sales specialist read and reply to text-based BEC attacks 78% of the time.
- Between the first and second half of 2022, BEC attacks targeting SMB organizations grew by 147%.
- Nearly two-thirds of large enterprises experienced a supply chain compromise attack in the second half of 2022.
Commenting on the report, Mike Britton, chief information security officer at Abnormal, said:
“One of the biggest challenges with email attacks is that your employees have to be correct every time whereas threat actors only have to be successful once. While educating employees about potential threats can certainly help reduce the risk of them engaging with a malicious email, the most effective way to prevent attacks is by investing in an email security solution that ensures threats are never delivered in the first place.”