True North Networks Blog
Why Business Email Compromise (BEC) Punches Above Its Weight
Business email compromise (BEC) attacks are particularly insidious because they don’t use malware payloads or malicious URLs. That’s a reminder from Evan Reiser, CEO and co-founder of Abnormal Security. In an article for Threatpost, Reiser says that organizations have primarily focused on implementing security technologies that look for malicious payloads, but these solutions are ineffective against BEC attacks. These “payload-less attacks” make up only 5 percent of all email attacks, but they’re the most financially devastating. The FBI says BEC attacks have caused more than $26 billion in losses over the past three years.
Reiser explains that BEC emails can be sent from spoofed or compromised email accounts belonging to executives, vendors, or employees. The attackers often conduct extensive research about their targets in order to make the attacks as convincing as possible.
“According to the Abnormal Security Research Team, 69 percent of payload-less attacks impersonate someone the recipient knows; while employees are 17 times more likely to engage with a payload-less attack email than they are with other types of phishing and spam,” Reiser writes.
Researchers at Abnormal Security analyzed the most common characteristics of BEC attacks that occurred before February 2020, and found that 65 percent involved “engagement,” or tricking an employee into wiring a fraudulent payment. 18 percent of the incidents involved Bitcoin extortion, 10 percent used gift card fraud, and 7 percent attempted to manipulate employee payroll data. After February 2020, most of these attacks also incorporated COVID-19-related themes.
Organizations need to use a combination of technology, training, and processes in order to thwart BEC attacks. Employees need to know that they might not be able to spot a well-crafted spearphishing email that appears to come from their boss or a co-worker. New-school security awareness training can teach your employees how to verify potentially illegitimate requests, even if they appear to be sent from a trusted source. And they might also help an organization craft and test improved policies and procedures that can stop BEC before it drains their accounts.