Agari has published research revealing that 96 percent of organizations have received business email compromise (BEC) emails during the second half of 2017. The Agari ‘Business Email Compromise (BEC) Attack Trends Report’ analyses more than one billion emails considered safe by conventional email security solutions, including Secure Email Gateways (SEG), Advanced Threat Protection (ATP) and Targeted Attack Protection (TAP).
“Business email compromise is a particularly effective attack vector because its lack of payload makes it nearly impossible for conventional email security solutions to detect and prevent,” said Markus Jakobsson, chief scientist, Agari. “At its core, business email compromise is a social engineering attack that leverages familiarity, authority and trust, which can result in billions of dollars of losses to businesses.”
According to the FBI, BEC attacks were responsible for more than $5.3 billion in exposed losses between 2013 and 2016. BEC attacks leverage social engineering, impersonating trusted individuals, such as bosses and third-party vendors, to request wire payments or sensitive data such as W-2 tax forms. Social networks and free cloud email services make it simple for cybercriminals to identify their targets, create an email account that impersonates a trusted entity (CEO, brand, partner) and then create a believable con with personalised details to make these attacks successful.
Key findings of the Business Email Compromise (BEC) Attack Trends Report include:
Nearly every organization has received BEC: 96 percent of organizations have been targeted by BEC attacks between June 2017 and December 2017. On average, organizations experienced 45 BEC attacks during this time.
BEC attacks manifest in a variety of forms: BEC attacks include display name deception, domain spoofing, and look-alike domains. However, BEC attacks function differently than phishing or spear-phishing attacks because there is no payload, such as a malicious attachment or a malicious URL.
Conventional security solutions are ineffective against BEC: as the last line of protection against advanced email-based attacks, Agari witnessed that 81 percent of BEC attackers used display name deception, 12 percent using domain spoofing and 7 percent used look-alike domains to impersonate a trusted party, without the SEG, ATP or TAP detecting it. Conventional email security solutions, such as SEG, ATP and TAP attempt to detect attacks by monitoring for malicious payloads, attachments, URLs and other forms of known bad behavior. However, attackers can evade these protections by impersonating trusted individuals, partners or brands, while avoiding the use of malicious payloads.
“Business email compromise has become a pervasive threat that targets nearly every organization, often slipping past conventional email security solutions undetected,” said Greg Temm, chief information risk officer, FS-ISAC. “BEC opens organizations up to financial losses and could put customers’ investments at risk. Urgently deploying effective security controls and educating employees are some of the best ways to deal with this type of attack.”