Today’s BEC attacks are more nuanced, more accessible, less technically demanding, and consequently, more dangerous than ever before. In our report, 2023 BEC Trends, Targets, and Changes in Techniques, we take a hard look at the anatomy of Business Email Compromise (BEC) attacks today and the lures that are drawing users to the bait in record numbers.
The Popularity of BEC Attacks
Nefarious email impersonations like BEC now account for nearly 99% of all reported threats, per our recent findings. According to the most recent FBI Internet Crime (IC3) Report, BEC accounted for $2.7 billion dollars in adjusted losses annually. By comparison, ransomware cost a ‘paltry’ 34 million. That means BEC costs more than ransomware (the industry “boogeyman”) by a factor of nearly 79 times. No wonder BEC scams skyrocketed by 81% in 2022 (the year of the IC3 report).
Cybercriminals have flocked to our inboxes in even greater numbers as sophisticated network and endpoint solutions have proven hard to crack. While that’s one point for modern security architecture, it makes protecting open-door areas like email that much harder. What is the key benefit of compromising an enterprise through email? Anyone can be on the receiving end, and more often than not, “anyone” doesn’t know the tell-tale signs of attack.
To clarify, email impersonation attacks are social engineering emails that can rely on well-crafted communication or contain virtually no content at all. While they do not always (and often don’t) include a malicious link or attachment, they do provide a link, email address, or phone number so that the user can communicate with the sender. Attempting to seem as normal as possible, they lean heavily on stolen branding (logos, images) to fake authenticity.
Leveraging data from Fortra’s Agari and PhishLabs solutions, we were able to come to the following conclusions about BEC attacks and other email impersonation threats today. These trends serve as sobering indicators of what organizations can expect in the year ahead.
- Corporate inboxes face an onslaught of attacks. No less than a quarter of all reported emails fell into the “malicious” or “untrustworthy” category, and of those, nearly all were email impersonation attacks. Within that category, BEC attacks garnered the greatest share of losses and accounted for 14% of all impersonation attack activity.
- Email impersonations are the hardest to block. Anyone can send an email, and it no longer takes a malware attachment or malicious link to get the payload. All it takes is a clever guise, and the unwitting employee could call you, offering up their personal information to “update their Windows account.” This makes it nearly impossible for traditional email security solutions to catch signs of nefarious activity, and email impersonation attacks are the top threats making it past Secure Email Gateways. As pure-play social engineering messages have managed to slip by defenses, they have gradually overtaken malicious links and attachments in overall volume.
- BEC actors: “Now intercepting payments”. Now, attackers are performing man-in-the-middle(esque) attacks by intercepting payments traveling to legitimate vendors. These bad actors will pose as XYZ company and offer a friendly payment reminder about their upcoming bill. Want to make it easier? Click this link to be routed to a pay-now option. After the transaction, the organization will have paid – but to the wrong party. Watch out for emails asking for the “outstanding balance” or the “owed amount.” Actual companies know how much you owe and aren’t afraid to tell you; vague language can be a red flag for fraud.
- Let’s go Office 365 Phishing. In Q1 of this past year, phishing attacks targeting Office 365 credentials doubled in number. While not new, the increase in this type of attack is largely attributed to the wide availability of toolkits made for the purpose; with little experience or sophistication, low-skill hackers can perform Microsoft 365 attacks at a speed and scale (and success rate) unavailable to them before. The bar has been lowered for attackers looking to attack the popular software platform, and attacks have trended upward consistently over the past year.
- Hybrid vishing takes the lead. Incredibly, this past year saw hybrid vishing overtake BEC and the ever-popular “419 scams” for the top spot, making up more than 45% of response-driven attack volume. Defined as phishing that uses both email and telephone communication to execute attacks, hybrid vishing relies on the additional layer of trust established by one-on-one communication between the victim and threat actor. These attackers pose as customer service representatives, legitimizing the bogus email that preceded them and taking more and more users in their snare. The results can be anything from stolen PII to pilfered credit card credentials to malware delivery.
Email impersonation threats like BEC are changing the game and altering how organizations secure their inboxes. Because traditional antivirus and email security tools so easily miss them, these attacks require companies to invest in technology that can spot bad behaviors in the act. This is achieved through machine learning algorithms that can recognize anomalies, make predictions, and block harmful patterns of attack.
To view the full report, click here.