Back in June, the FBI succeeded in apprehending as many as 74 criminals belonging to various cyber crime groups located in the United States, Nigeria, Canada, Mauritius, and Poland. All of these criminals actively engaged in one of the most sophisticated and hard-to-track cyber crime activities anywhere in the world: Business Email Compromise (BEC).
Last week, the FBI followed up its recent success against the scourge that is BEC attacks with some eye-opening statistics about the rise of Business Email Compromise (BEC) and its variant, e-mail account compromise (EAC) attacks.
BEC attacks cost businesses £5.50 billion since January 2017
The premier investigative agency revealed that between October 2013 and May 2018, as many as 78,617 BEC and EAC attacks took place across the world, inflicting losses of $12.5 billion (£9.52 billion) to businesses. Considering that the world faced 40,203 BEC attacks between October 2013 and December 2016, as many as 38,414 BEC attacks took place between January 2017 and May this year, costing enterprises a total of $7.23 billion (£5.50 billion) in losses.
"The BEC/EAC scam continues to grow and evolve, targeting small, medium, and large business and personal transactions. Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses. The scam has been reported in all 50 states and in 150 countries," the FBI said.
"Based on the financial data, Asian banks located in China and Hong Kong remain the primary destinations of fraudulent funds; however, financial institutions in the United Kingdom, Mexico and Turkey have also been identified recently as prominent destinations," it added.
Business Email Compromise (BEC) attack is a scam that involves hackers masquerading as CEOs or high-ranking company officials or business partners to target unsuspecting employees who have access to company finances and trick them using social engineering and phishing tactics. This way, fraudsters are able to convince targeted users into making wire transfers to bank accounts thought to belong to trusted partners.
According to security firm Proofpoint, BEC attacks are highly targeted, don’t include attachments or URLs, arrive in low volumes, and impersonate people in authority, and as such are quite difficult to detect and stop with traditional security tools.
75% of businesses suffered BEC attacks in the last 2 years
A survey of more than 2,250 IT decision makers carried out by Proofpoint across the US, the UK, Australia, France, and Germany revealed that in Q4 2017, as many as 88.8% of companies were targeted by at least one email fraud attack and in the last two years, about 75% of organisations were targeted by one such attack and 41% were attacked multiple times.
Of those whose organisations were targeted with BEC attacks, 55.7% of IT decision makers said that such attacks resulted in business disruption, one in three of them said criminals were able to trick employees into transferring money to their accounts, and 25% of such attacks resulted in high-level firings (loss of job).
Organisational departments that were targeted the most using BEC attacks were finance (55%), accounts payable (43%), the C-Suite (37%), and the workforce (33%). According to Proofpoint, the rise in BEC attacks over the years has finally forced company boards to take notice and to implement new measures to defeat such attacks.
However, despite the show of concern, less than half of the companies surveyed had deployed available technology to protect themselves against email fraud (such as email authentication). Still, 57% of IT decision makers said their organisations are now running end-user awareness programmes on phishing attacks, 23% said their businesses have purchased cyber insurance to cover risk from BE attacks, and 46% said their organisations have deployed e-mail authentication.
On the flip side, while 62% of respondents said they don’t have financial controls in place to stop wire transfer fraud, 50% said they do not have end-to-end encryption for sensitive data, and 56% do not have user-access levels in place for systems used to process personal data.
"FBI's announcement that business email compromise (BEC)/email account compromise (EAC) attacks have resulted in more than $12.5 billion in losses worldwide shines a necessary light on the real-world financial impact that email fraud and account compromise can have on organizations," said Ryan Kalember, SVP Cybersecurity Strategy at Proofpoint.
"These new figures compound our recent research findings that email fraud attacks hit more than 90% of organizations in the first three months of this year and the total number rose 103% year-over-year. While these numbers are substantial, it’s worth noting that many cyberattack incidents of this nature are either underreported or unreported each year.
"Email has become a top attack vector for BEC/EAC attackers because it is a much more effective, easier path for them to navigate than hacking into a targeted organization’s infrastructure. No matter what an organization’s security architecture looks like, attackers are adept at using two of the most powerful information tools of our era—LinkedIn and Google—to conduct reconnaissance on potential individuals to target."
Kalember added that hackers are nowadays resorting to brute-force attacks to compromise corporate e-mail systems and gain access to accounts even if the company has deployed single sign-on or multi-factor authentication (MFA) as part of their security system. Credential reuse, brute force attacks, and credential-stealing malware are now the most-favoured EAC attacks, he added.