With all the recent focus on education and prevention of business email compromise (BEC) attacks, have the numbers gone down? Nope. In fact, the number of BEC attacks is significantly rising.
As we learned in Part 1 of this series: The Evolution of BEC Phishing, the instances and the financial loss from BEC are growing every year–more than quadrupling from 2020 to 2021 with losses over $43 billion.
We also learned in our recently published Osterman Research whitepaper Defending the Enterprise: The Latest Trends and Tactics in BEC Attacks, organizations see the threat of BEC growing year on year and expect it to be twice as high as the threat of phishing in general.
Why is this happening? Let’s look at four (4) key drivers that are contributing to the rise and success of BEC attacks.
Why is the number of BEC attacks rising so fast? The answer is simple—they work. A small taste of success is a huge driver to want more.
Similarly, fraudsters are part of a community. They share and brag about their conquests, while inquiring, watching, and adapting their attacks based on successes they see happening across the scamming community.
Motivation for continued and increased attacks is easy when hackers see even a little bit of success. They’re going to do whatever it takes to make the most money. And in the case of BEC scams, the lure of large transactions makes them very appealing. According to a 2021 FBI Report, successful BEC scams accounted for an average loss of more than $120,000 per incident.
According to the 2022 FBI Internet Crime Report (IC3), both complaints (21,832) and losses ($2.7 billion) from BEC increased compared to 2021. The average cost increased to $125,611 per incident. BEC represented 2.7% of complaints, and 26% of total crime losses.
While the techniques utilized by fraudsters are becoming more and more sophisticated, the people launching the BEC attacks are often not particularly skilled or experienced. The tools have become so good that someone with little competence can launch elaborate attacks on a large scale.
Cyber-criminals heavily rely on phishing kits–widely available, ready-to-launch packages and services (some include technical support) that include essential tools such as:
If you’ve ever ordered IKEA furniture, you know how this works. You receive a package with all of the different pieces and tools. Just follow the basic instructions and you can put everything together in a short time.
There are even inexpensive phishing kits that are pre-designed to impersonate specific brands. You’ve probably seen these phishing emails, mimicking PayPal or Amazon, for example. And they cost less than you’d think. In 2021, many pre-designed kits were available for $50-$200 through the dark web and private Telegram channels. For a bit more money, fraudsters can purchase “phishing as a service”, where someone sets all of this up for you.
At their core, BEC attacks are a form of phishing schemes—but not the typical “spray and pray” attacks. The ROI appeal of BEC has resulted in attackers moving toward more isolated, socially-engineered email attacks.
As we’ve seen, credentials are readily available for purchase on the dark web. But hackers don’t even need to break out their (stolen) credit card to get the credentials needed to launch an attack, they can access the infamous Rockyou list with more than 8.4 billion entries for free. This process is further simplified due to the wealth of information about an organization and its employees/roles readily available on corporate websites, LinkedIn, and social media accounts:
Fraudsters have perfected their ability to take advantage of this information, while capitalizing on emotions and carelessness of the people they are targeting.
It is common for fraudsters to target each industry based on what would appear as standard business processes. In one Real Estate industry incident we blogged about last September, for example, hackers used a financial template that is standard and familiar to all agents and inspectors to gather a wealth of sensitive documents and information. This was accomplished through a fraudulent link, which also enabled the fraudsters to steal login credentials. Once the hackers owned the agent/inspector accounts, they launched multiple BEC attacks.
Data breaches don’t always come from phishing attacks. They often start with credential stuffing attacks to gain direct access to an employee's Microsoft 365 or Google Workspace, a CRM account, or a Slack or Teams profile.
Once account credentials are identified, fraudsters are able to use that information to complete an Account Takeover (ATO), gaining full access and control of a legitimate business email account. Attackers then use this legitimate but compromised email account to commit BEC attacks in the form of internal phishing. The damage from these attacks compound as soon as the hacker starts using the compromised account to attack the business’s vendors and partners. Even one or two compromised accounts within one organization make for easy vectors to successfully launch multiple BEC scams.
A successful attack on a business or ecommerce site often provides opportunity for wide-spread credential stuffing, as most people use the same username and password for all online accounts. These attacks typically occur multiple times before anyone notices. And the breached data is often still usable for several years.
While healthcare, manufacturing and financial institutions are the most heavily targeted, it really doesn’t matter how large or small your business is or what kind of work you do. Companies of all types and sizes are targets for BEC attacks.
Experts across the cybersecurity industry, and even the FBI, expect this trend to keep growing, emphasizing the importance of BEC prevention and protection. Let’s recap a few of the primary reasons why:
There are a lot of solutions on the market that offer phishing protection, but only one combines AI and human insights into one platform to combat advanced phishing attacks like BEC, ATO, and VIP impersonation. Request a demo to learn more about how IRONSCALES protects enterprise organizations from advanced threats.