The frequency of business email compromise (BEC) attacks is exploding as large financial returns continue to motivate cybercriminals to find new ways of exploiting human weaknesses.
BEC volumes were up 80 percent quarter-on-quarter, according to the latest Mimecast Email Security Risk Assessment (ESRA), which analysed more than 142 million emails that had been cleared by potential customers’ incumbent email systems.
Some 41,605 BEC mails were flagged from the pool of re-examined analysed emails, which also identified 15,656 malware attachments and 13,176 emails containing dangerous file types.
BEC’s reliance on deceiving humans, rather than on malware code that can be more readily identified and disabled, has turned it into a major security consideration for enterprises.
Earlier this year, a global sweep by the FBI saw 74 arrests around the world – just weeks before that organisation announced global BEC losses have now passed $US12 billion ($A16.5b).
The impact of the scams has been significant in Australia, which is the world’s second most-popular target country for BEC fraudsters with reported losses of $20 million to BEC last year alone.
“Targeted malware, heavily socially-engineered impersonation attacks, and phishing threats are still reaching employee inboxes,” Mimecast cybersecurity strategist Matthew Gardiner said in a statement.
“Our latest quarterly analysis saw a continued attacker focus on impersonation attacks quarter-on-quarter. These are difficult attacks to identify without specialised security capabilities, and this testing shows that commonly used systems aren’t doing a good job catching them.”
The industry has turned to artificial intelligence (AI) technologies to try to pick up on discrepancies in the often official-sounding language with which BEC emails are written.
Despite the promise of AI, in the short term most consultants are recommending that companies focus on better human education. But providing effective education requires a better understanding of the targets of BEC attacks – something that, a recent Proofpoint analysis found, may come as a surprise.
Individual contributors and lower-level management accounted for around 60 percent of targeted malware and credential-phishing attacks, Proofpoint found, with more than 65 percent of email fraud targets reporting that they had had the identities of more than five employees spoofed.
The number of email-fraud attacks per targeted company increased by a quarter over the previous quarter and 85 percent from the same quarter a year ago, Proofpoint’s analysis noted, with the volume of malicious email up 36 percent compared to the previous quarter and the number of phishing links sent through social media up 30 percent.
That level of growth would seem to be an obvious prompt for doubling down on security practices and user education, but analyses suggest that the opposite is happening.
Not only are companies not implementing many security technologies – one recent Ivanti survey found that just half of companies had even started implementing many of the ASD Top 4 Mitigation Strategies – but many aren’t actively training their employees to spot phishing and BEV emails.
A recent Switchfast Technologies survey, for one, found that fully 65 percent of small-business employees in the SwitchFast survey said they had never received a phishing test – even though 91 percent of cybersecurity attacks originate with a phishing email.
“All it takes is a split-second reaction click to cause a heap of trouble for your organization,” the firm noted. “Routine phishing tests are an effective way to gauge an individual’s ability to recognize and respond to fake emails.”
“While the reactive click is hard to combat against, there are cybersecurity measures that can be put in place to control the damage. Certain programs will ask the user if they’re sure a link is secure before it takes them to a potentially malicious web page, for example. Adding an extra step after a link click will help prevent muscle memory from causing a data breach.”