Business email compromise (BEC), a type of spear-phishing attack that targets businesses and their employees, is more than 20 times more effective than your average phishing email.
This is according to a new report by Barracuda, called Spear Phishing: Top Threats and Trends Vol. 3 - Defending against business email compromise attacks. According to the report, the average amount lost per organisation due to spear-phishing attacks in the last year was $270,000.
BEC, however, has caused more than $26 billion in losses in the last four years, despite making up only seven per cent of all spear-phishing attacks.
In this type of spear-phishing, attackers try to mimic business behaviour as much as possible. The imitation goes so far that they send emails during business hours, and make sure to target as few people in an organisation as possible. More than nine in ten BEC attacks take place on weekdays. On average, they target a maximum of six people. In almost all cases (94.5 per cent), they target a maximum of 25 people.
More than four fifths of the emails are urgent requests designed to trick people into a rashly decision.
They’re successful, too. Barracuda claims these attacks have high click-through rates (CTR), 10 per cent on average. For BEC attacks that mimic someone within the organization, the CTR goes up to 30 per cent.
“Attackers continue to find new ways to make business email compromise attacks more convincing, ultimately making them more costly and damaging to businesses,” said Don MacLennan, SVP, Email Protection, Engineering and Product Management, Barracuda.
“Taking the proper precautions and staying informed about the tactics cybercriminals are using will help organisations defend themselves more effectively against these highly targeted attacks.