In cybersecurity, knowledge is everything. From APT intelligence to zero-day vulnerabilities, relevant and timely information can be the difference between a thwarted attack and a total disaster. With Business Email Compromise (BEC) attacks at their zenith, there has never been a better time for a comprehensive BEC report. As such, Fortra has released its 2023 BEC Trends, Targets, and Changes in Techniques Report. So, without further ado, let's dive into the report's key findings and what we should learn from them.
BEC attacks are more common than ever
In 2023, the volume of nefarious emails impersonating enterprises reached a staggering crescendo, with attacks such as BEC making up 99% of reported threats. Historically, most of the threats reported in user inboxes have been BEC attacks, but 99% represents by far the highest share since Fortra began tracking this data point.
Considering this intelligence, organizations must implement a security awareness training program to ensure their staff are well placed to identify and flag potential BEC attacks. The unprecedented prevalence of BEC attacks means that, essentially, they are not a risk but an inevitability. Organizations must provide their employees with the necessary skills and information to recognize and alert security teams to the warning signs of a potential BEC scam.
Cybercriminals are innovating BEC tactics
Traditionally, BEC scams impersonate an organization's CEO or high-level executive to fool victims into facilitating a major financial transaction. However, threat actors have begun to change their tactics, expanding their target list to include vendors associated with the intended victim. By compromising a third-party or business partner, cybercriminals can target larger organizations with realistic emails containing key insider information, significantly increasing the legitimacy of an attack and the likelihood of success. Similarly, cybercriminals have begun to utilize generative AI to craft well-written, mistake-free emails that are more likely to fool victims.
Interestingly, while wire transfers made up only 4% of the preferred cash-out methods, in Q1, cybercriminals moved away from asking for a specific payment. Instead, attackers ask the victim to provide "the outstanding balance" or "owed amount", attempting to redirect payment of an unpaid invoice that has been partially or fully approved by internal stakeholders.
These developments are yet another example of how important regular security awareness training is. It is not enough to provide security awareness training upon hiring an employee or once a year; organizations must administer training regularly to reflect the current threat landscape.
Hybrid vishing is on the rise
Hybrid vishing attacks, which use phone numbers and the stolen intellectual property of trusted brands to evade gateways and convince users of their legitimacy, make up for 45% of all reported Response-Based threat types. These attacks primarily impersonated online financial services brands such as PayPal and digital security software such as Norton or McAfee products. If the victim calls the phone number, the criminal will attempt to monetize the attack through identity theft, credit card fraud, or a malware implant.
Again, organizations must empower their employees to identify and thwart hybrid vishing attacks with cybersecurity awareness training. Hybrid vishing is a relatively new attack technique, and it is likely that an organization's staff will be neither aware of it nor how to thwart it.
Credential theft is making a comeback
Despite falling in the second half of 2022, credential theft led all email impersonation threat types in Q1 2023. The Microsoft O365 phish drove this increase, experiencing the largest quarter-over-quarter jump in share (10%) since Fortra began reporting this datapoint, making up nearly 41% of all credential theft phishes. Most modern organizations use the Microsoft Suite in some capacity, meaning users are pre-conditioned to trust emails from Microsoft, helping cybercriminals obfuscate their attacks.
Although it's difficult to convey, organizations must impress upon their staff that the brands they trust the most are inherently the least trustworthy. Again, this can only be achieved through effective security awareness training.
Fortra's 2023 BEC Trends, Targets, and Changes in Techniques Report reveals the alarming surge in Business Email Compromise (BEC) attacks, constituting 99% of reported threats. Cybercriminals are innovating tactics by targeting vendors and utilizing generative AI. Hybrid vishing and credential theft are also on the rise. Organizations must prioritize regular security awareness training to empower their staff to identify and thwart these evolving threats. The report serves as a crucial reminder that knowledge and proactive measures are paramount in safeguarding against cybersecurity risks in today's increasingly perilous digital landscape.
Click here to learn more about BEC threats in 2023.