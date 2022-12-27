Ransomware and other malware incidents dominate the headlines in cybersecurity, yet a far less discussed threat, business email compromise (BEC), causes organizations the most significant financial losses. According to the FBI’s Internet Crime Complaint Center (IC3) 2021 Internet Crime Report, BEC attacks accounted for over $2.4bn worth of business losses in 2021. It’s 48-times higher than ransomware and one-third of all cybercrime losses reported to the FBI that year.

BEC, also known as email account compromise (EAC), refers to social engineering attacks that target individuals to trick them into sending critical information, usually financial, via email. Typically, the scammer spoofs corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments, using phishing techniques or other social engineering methods, and then persuades another employee to do such fraudulent transfers. While staff in finance are ideal targets, anyone in the business is susceptible to being compromised.

Moreover, BEC attacks have constantly been growing in the past few years. From $1.29bn in 2018, the BEC global losses jumped to $1.7bn in 2019 and $1.86bn in 2020. The FBI has recorded a 65% surge in monthly losses between July 2019 and December 2021. In the first quarter of 2022, BEC overtook ransomware as the top threat for the first time in security consultancy firm Kroll’s quarterly report.

“What makes BEC such an important threat is that it is a concern for everyone, from Google and Facebook to a tiny local football club or even an individual wanting to buy a house. If you’re transacting money, you could be the target of a BEC attack,” Adenike Cosgrove, VP of cybersecurity strategy at Proofpoint, tells Infosecurity. “People are concerned about nation-state threats, ransomware, or cryptocurrency mining attacks, but the reality is that the basics work. In most attacks, threat actors largely rely on the same techniques, from compromised credentials and user-activated malware to data theft from the dark web that is being shared, sold and recycled among cyber-criminals.”

Worse Than it Seems

The aforementioned data paints a bleak picture, but many cybersecurity professionals do not believe these statistics paint a full picture of the impact BEC attacks are having today.

The latest increase in BEC attacks “was fueled by the COVID-19 pandemic,” says Bharat Mistry, technical director at Trend Micro. “With many people working from home, it makes them easier targets than normal. When you see an email that you are unsure about, if you are in the office, you might ask your work colleague for a second opinion and decide not to respond,” he adds.

Josh Yavor, CISO at Tessian, a British security company, is convinced that “all the numbers we see are underreported.” Cosgrove agrees: “The IC3 claims some of its statistics are global, but how many companies report to the FBI outside of the US?” she asks. The same goes for cybersecurity vendors, Mistry argues: “We see the view from our telemetry, based on our solutions only. Globally, the figures could be much higher than we see.”

The reason BEC attacks are overlooked is twofold: on the one hand, the attackers are not usually outspoken about this type of hack, compared to ransomware attacks, and it makes it difficult for security researchers to deploy any forensics and for threat analysts to give any attribution; on the other hand, the stealthy nature of BEC and the impact on the targets’ finances and image mean that they, too, would rather keep quiet about falling victims to it.

“The most well-known hacking groups with fancy names mainly are geopolitically motivated, like hacktivists or nation-sponsored actors, whereas attackers who use BEC usually are from organized crime groups. They won’t display their names before they get prosecuted,” Yavor says. Also, the threat ecosystem gets increasingly sophisticated, with a quasi-Fordian division of labor. One actor typically crafts an attack, another does the social engineering work, and a third deploys it.

“Nowadays, the lines get blurrier as well. The criminals are increasingly collaborating, and different motives and attacks tend to overlap. What might start as a ‘simple’ BEC attack can turn into ransomware. These should no longer be treated as different problems,” warns Cosgrove.