Business email compromise (BEC) is quickly becoming the worst-kept secret. Let’s just say $2.7 billion dollars leaves a trace, and it’s a mile wide.
What usually gets the hype is ransomware, the ever-present boogeyman of the digital world. While its contributions are worth noting — last year adjusted losses totaled $34.3 million dollars — they pale in comparison to the damage BEC can inflict.
So why is BEC so effective? Why do we fall for its ploys time and time again, and in big ways?
Fortra’s 2023 Business Email Compromise (BEC) Report pulls out a magnifying glass to the tactics, techniques, and watering holes used by BEC threat actors in an effort to pull off the mask.
Here are five of the most notable highlights from the report, but just like the stats themselves, they’re only the tip of the iceberg.
5. Malicious Email Doesn’t Require Malicious Code
Email has been around for decades, as has the need for email security. But methods have changed. Criminals used to depend on including an attachment or URL as part of the attack sequence. However, as email security improved, it became able to stop these types of threats. That forced bad actors to have to pivot in order to make it past our controls and into the inbox. According to Fortra, 23.6% of emails that made it to corporate inboxes in Q1 of 2023 were untrustworthy or malicious. This represents an increase of about 5% compared to the previous year.
4. Criminal Actors Love to Impersonate Well-known Brands
Email-based attacks need humans to let their guard down and take the action the criminal wants. One way to achieve this is to impersonate a well-known brand because trust is already established. The criminals know this, which is why more than 60% of email impersonations display the name of a trusted entity.
3. Important People Continue to Be Impersonated
Aside from spoofing corporate names, criminal actors will also impersonate important people. Sometimes the person might be from a famous organization, while other times they could be executives from their own company. Threat actors will alter the email display name 36% of the time to present the name they want. This is how attackers increase the chances of fooling the victim into acting, which may include wiring a past-due payment or clicking on a link to verify if an invoice payment was received. In the latter example, the link would be fraudulent and used to harvest a credential. By nature, employees will quickly take action when they think an inquiry is from a high-ranking individual, which is why rates of high-profile impersonations continue to be high.
2. Office 365 Is a Dangerous Favorite Target
Nearly 41% of all credential theft phishing targets Office 365. This is because Microsoft is a well-known brand, it has a very large deployment footprint, and it’s used daily. Also working in the attacker’s favor is the large volume of notifications from Microsoft, as it helps reduce suspicion on the part of the user when they are asked to re-enter their credentials. And thanks to the far-reaching nature of Office 365, once the threat actor has obtained the user’s credentials, they now have access to exploit a significant part of the company.
1. Hybrid Vishing Is the Top Response-based Threat
The use of fake invoices is not new. However, the use of adding a phone number for the victim to call is a tactic that’s gaining momentum. The victim is provided with a (vishing) number, which they can call to verify the legitimacy of the claim. When an attacker picks up and approves it, typically swiping a few other personal “verification details” along the way, it’s all over. This type of hybrid vishing was the top response-based threat this year, making up 45% of the overall volume. Don’t be surprised if we start seeing threat actors using generative AI to clone voices soon.
While we could all hope this list was exhaustive, unfortunately, it’s only the beginning.
Want additional insights?
We’ve only scratched the surface. Check out the report and deepen your understanding of the BEC problem today with charts, statistics, and specifics that tell the whole story.