BEC Attacks Skyrocket: Over $26 Billion In Damages And Growing
By: Jim Stickley and Tina Davis
May 18, 2020
Since email phishing attacks were first discovered in 1995, using email as a weapon has been gaining steam over time. The ongoing commitment by cybercriminals to improve email phishing brings it to a new level of success. Business email compromise (BEC) attacks target a specific business and select employees. BEC is known for unleashing malware, including ransomware and financial attacks, and for tricking employees into handing over large sums of money. The FBI finds the cost of BEC to U.S. businesses topped $26 billion over the past three years.
The 2018 Check Point Research Security Report found 64% of organizations experienced an email phishing attack in the previous year, with 82% of those efforts specifically aimed at the manufacturing sector. Current phishing statistics show BEC attacks are way up, and there’s no reason to believe they’ll be slowing down any time soon. A closer look gives more insight into this effective hacking tool, and how the growing number of BEC attacks is a threat to us all.
The FBI found from June 2016 to July 2019, over 165,000 BEC scams were reported, costing businesses over $26 billion in just three years. The FBI also notes the average loss from a bank robbery is $3,000, while a successful BEC attack has a payday of nearly $130,000. It’s easy to see why BEC email attacks are replacing old-school robberies–a BEC attacker can strike without ever leaving the comforts of home. Since BEC attacks happen exclusively in the workplace, statistics also show the evolving trends for these crimes. Barracuda Research reports on the latest BEC trends and what they have in common.
- 91% of BEC attacks take place during the workday and at regular work hours. The timing helps convince BEC recipients that the email is legitimate since it’s sent during the course of regular business hours.
- On average, a BEC attack targets a maximum of six employees, with 94.5% targeting less than 25 people. Hackers do their homework ahead of time by checking company websites and other social media to get the names of current employees, their positions, and personal interests. Using spearphishing tactics, the information helps BEC attacks target employees with laser precision. The attacker can then assume the identity of staff, executives, and vendors to perpetrate the scam.
- BEC emails are three times more likely to be opened than other spearphishing emails. The subjects and content rely on a sense of urgency to get a response. Remember, it only takes one employee to seal a BEC attack.
- 85% of emails are marked as urgent, 59% request help, and 26% ask about availability. Being human continues to be a weakness that BEC attacks capitalize on. Any email that exploits emotion and elicits a fast response should be flagged as highly suspicious, especially if it has anything to do with financial resources of any kind.
- Phishing accounts for 90% of data breaches. With statistics pointing to the effectiveness of BEC attacks, cybercriminals know email phishing is a reliable attack vector they can build upon.