Business Email Compromise Bigger Threat Than Malware Alone
By: Jim Stickley and Tina Davis
February 15, 2019
Email phishing is proving over and over to be the weakest link and biggest attack vector for businesses today. Sometimes referred to as BEC (Business Email Compromise), it’s a growing problem that companies of every size are up against. Phishing is now considered more dangerous to a business than malware. That’s because phishing attacks are much easier to orchestrate than malware attacks and have little need to be updated before launching the next one. It’s also clear that it doesn’t matter where a business is located, as phishing attacks are known the world over. A recent UK study of Chief Information Security Officers (CISO) found that phishing accounted for 48% of their security breaches, while only 22% were found to be caused by malware.
A report by Wombat “2018 State of the Phish” offers some startling stats on BEC and what it means to businesses of all sizes. That survey finds 76% of all businesses had a phishing attempt in 2017, with 48% finding that phishing attacks remain a constant threat. Hackers know the vulnerability that employees pose to a company, and they stop at nothing to take advantage of that. The cost to a business, depending on its size, can actually shut down some small companies. Mega-sized companies are more likely to rebound after a phishing hack, due to greater financial resources enabling them to bounce back. According to the survey report, 30% of companies lost time, money and overall business disruption after a phishing attack. Included are 38% saying accounts were compromised, with 49% experiencing malware infections as a phishing result.
Educating staff and even consultants on identifying phishing should not be pushed aside. While perimeter security tools are indeed important and necessary, they will not stop all spam, and certainly will not stop all phishing email from getting to users. Teach them what to look for:
- Unprofessional images and wording
- Links or attachments that are not expected
- Messages from unknown senders
- Verbiage that makes it sound as if something bad or critical will happen if action is not taken immediately
- Something too good to be true is promised
- There’s a request for credentials or other personally identifying information (PII)
In a separate study, the 2018 Webroot SMB Pulse Report ranks phishing the number one threat to SMB’s (Small-to-Medium-Sized Business). Out of 500 SMB’s surveyed, 41% of businesses overall had no IT security resources, with only 12% having a dedicated in-house security professional or team. With numbers like that, it’s easy to see how email phishing attacks surpass malware and gain the strong hold as the biggest business security threat.
When it comes to employee security-awareness training, the results aren’t much better. Webroot reports 35% of respondents claim to have some type of employee education, while a whopping 65% admit they have no such training available. With email phishing pushing malware aside as the #1 threat to SMB’s, ongoing employee education is the best defense to keep your staff and business from becoming click bait.