Business Email Compromise – the most expensive email attack
BEC is much more dangerous and costly than phishing
BEC is mostly used for invoice or payment fraud
Business Email Compromise (BEC) is yet another attack tactic that has been on the rise in the last several years. According to different studies and researchers (e.g. FBI Crime Complaint Center), BEC is one of the most lucrative attacks for cybercriminals. Based on an FBI research (I3C), losses from BEC scams amount to $1.8 billion in the US alone. This is a fourfold increase compared to 2016. Furthermore, Statista reports that the number of BEC attacks is growing every year.
BEC vs Phishing
Business Email Compromise is often confused with phishing due to the obvious similarities. Both BEC and phishing are executed via email and use the impersonation tactics to lure their victims. However, there are some key differences that make BEC much more dangerous and costly than normal phishing. The main difference is the action.
Phishing typically aims at luring people into activating malicious content, or sharing credentials, through fake websites, active file attachments, etc. This is why phishing is a bit easier to identify, detect and block – automated security tools have good methodologies and mechanisms to do this. In most cases, the categorization of malicious files or suspicious links is relatively easy to detect, although cyber criminals are getting more and more creative over time.
In the case of Business Email Compromise, however, nothing in the emails seems suspicious or dangerous. Most often, BEC is used for invoice or payment fraud. The file is indeed “clean”, but it tricks the user into wiring money to a fake bank account. The majority of technologies do not have the mechanisms to detect these types of impersonation, so it is up to people to do it. Identifying such a scam is very difficult, but if you know how, it is a piece of cake. That is why, it is essential to train and prepare employees to identify these and act accordingly. But unfortunately, it is not just about being aware and prepared. People make mistakes, and these mistakes can be very costly. According to research, the average amount requested via wire transfer in BEC attacks nearly doubled in 2020, from $48,000 in the third quarter to $75,000 in the fourth.
It is absolutely mandatory to conduct continuous and effective cyber security awareness trainings with employees. But even then, people are prone to making mistakes when under stress or when outside of their comfort zone. Most BEC attacks are highly targeted and the criminals invest a lot of effort in researching and identifying the victims, their habits, behavior, the company’s business cycles, etc. Thus, it is relatively easy for them to choose the right time for the attack when the person is distracted or under stress.
What can be done to prevent Business Email Compromise?
Enforcing predefined rules in such complex scenarios is never efficient, and automated algorithms typically produce many false-positives. The innovative GBS technology can help customers address this issue effectively. Our software solution provides the level of flexibility needed to tailor it precisely to each customer’s specific business processes and security policies.
Join our webinar: The invisible threats to your email communications – 3 recent examples in German to find out which security mechanisms you can use to protect your e-mail communication from cyber threats.
Author: Pavel Yosifov
