Recorded business email compromise (BEC) attacks increased by more than 81% during 2022 and by 175% over the past two years, with open rates on malicious emails also surging, according to Abnormal Security.
The security vendor analyzed data from its customers to help compile its H1 2023 threat report, Read Alert.
It found the median open rate for text-based BEC emails during the second half of 2022 was 28%. More worrying still, it revealed that 15% of read malicious emails were replied to by corporate employees.
Employees at all levels of an organization engage with BEC emails, but 78% of entry-level sales staff read and replied to these malicious missives, the report found. Staffers in transportation sector companies (16%) were most likely to reply to attacks, followed by automotive (9%) and healthcare (8%).
Abnormal Security also revealed a concerning lack of reporting to security teams: just 2% of known attacks were flagged.
BEC attacks increasingly target smaller companies. The report noted a 145% increase in malicious emails aimed at SMB inboxes.
Abnormal Security CISO, Mike Britton, argued that staff education can only reduce the risk from BEC so far, and that organizations must also consider layering this approach with enhanced technology solutions.
“Email is undeniably the most common channel for asynchronous communication. And as our collective dependence on email has increased over the past two years, its popularity as an attack vector has also grown,” he added.
“One of the biggest challenges with email attacks is that your employees have to be correct every time whereas threat actors only have to be successful once.”
Threat actors are increasingly using open source intelligence gleaned from sites like LinkedIn, SEC disclosures and even target organizations’ websites to personalize their emails, in order to make them more convincing, the report warned.
While law enforcers continue to disrupt major BEC cybercrime operations globally, losses are mounting. Fraudsters made nearly $2.4bn globally in 2021 from attacks reported to the FBI, the most of any cybercrime type.