BEC Volumes Double on Phishing Surge

Written by

The number of business email compromise (BEC) incidents doubled last year and replaced ransomware as the most prolific cybercrime category, according to Secureworks.

The threat detection and response firm compiled its Learning from Incident Response report from hundreds of real-world incidents it was called upon to investigate.

It claimed the significant growth in BEC volumes was down to a surge in phishing, which accounted for a third (33%) of initial access vectors – up from 13% in 2021.

At the same time, ransomware fell from its perch as the most common cybercrime type, with detections declining 57%.

Read more about the top-grossing cybercrime categories: Investment Fraud is Now Biggest Cybercrime Earner.

Secureworks suggested that the fall could be down to threat actors targeting smaller victims, which are less likely to engage with incident responders like the report’s sponsor. At the same time, it could also represent a shift in threat actor monetization strategies.

Mike McLellan, director of intelligence at Secureworks, argued that BEC attacks can generate a big payout but require relatively little technical skill.

“Attackers can simultaneously phish multiple organizations looking for potential victims, without needing to employ advanced skills or operate complicated affiliate models,” he added.

This analysis chimes with a recent Trend Micro report, which suggested that ransomware groups will increasingly look to adopt other criminal models that monetize initial access, like BEC.

Elsewhere, Secureworks claimed that vulnerabilities in internet-facing systems accounted for another third of initial access vectors, warning that it is known bugs like Log4Shell, rather than zero days, that represent the biggest threat.

The firm also recorded a slight uptick in state-backed activity, increasing from 6% to 9% of all attacks. The vast majority (90%) were linked to China.

“Government-sponsored threat actors have a different purpose to those who are financially motivated, but the tools and techniques they use are often the same. For instance, Chinese threat actors were detected deploying ransomware as a smokescreen for espionage,” said McLellan.

“The intent is different, but the ransomware itself isn’t. The same is true for the initial access vector. It’s all about getting a foot in the door in the quickest and easiest way possible, no matter which group you belong to.”

Most (79%) attacks overall were financially motivated, although the share was lower than in previous years, Secureworks said.

What’s hot on Infosecurity Magazine?