Skip to main content

Business email compromise attacks are getting out of hand

woman typing on laptop at desk
(Image credit: Unsplash)

Business email compromise (BEC) attacks continue to plague security teams, with companies losing millions of dollars as a result, a new report from Area 1 Security suggests.

Analyzing more than 31 million threats across multiple industries, the security firm found that almost a tenth (9 percent) of attacks used identity deception tactics (spoofing, domain impersonation, display name impersonation, etc.). Other common tactics included credential harvesters, compromised links and attachments.

Most of the time, attackers tried to impersonate three major organizations (56 percent): the World Health Organization, Google and Microsoft. In some cases, these spoofed emails concealed BEC attacks.

Although only 1.3 percent of threats were BEC attacks, they are having a serious impact on the bottom line. On average, BEC requests sought $1.5 million, with the median coming in at $260,000.

Businesses are trying to remedy the issue by training end-users, but it doesn’t seem to be working out. The report states that 92 percent of user-reported phishing was actually “entirely benign spam or bulk mail”. IT teams are flooded with “thousands of false alarms”, making the detection of actual problems that much more difficult.

“Cyber campaigns continue to be a tool for waging war against corporations, theft of intellectual property, and massive financial and data loss,” said Patrick Sweeney, CEO at Area 1 Security.

“Our research found that security awareness training is only beneficial from an educational perspective but not effective in stopping threats.”