Business Email Compromise (BEC) Incurs $50 Billion in Global Losses
On the back of sophisticated targeting and social engineering, business email compromise (BEC) has cost businesses worldwide more than $50 billion over the past ten years. According to the FBI’s Internet Crime Complaint Center (IC3) 2022 report on BEC, global businesses lost approximately $51 billion between October 2013 and December 2022, while US businesses lost over $17 billion. The IC3’s report revealed that 137,601 US-based organizations reported falling victim to BEC in the past few years, reflecting a growth of 17% year-over-year in 2022.
The Growing Dominance of BEC in the Cyber Threat Landscape
BEC continues to represent a thriving cybercriminal activity, despite increased awareness and defense against the attack vector. Security professionals attribute BEC‘s continued dominance in the landscape to attackers becoming increasingly savvy at socially-engineering messages so that they appear authentic to users. Achieving legitimacy in a victim’s eyes is key to the success of BEC scams, which has led fraudsters to closely follow physical events and trends. BEC attacks on the real estate sector have surged due to struggles within that sector, which threat actors are taking advantage of.
The Silent Danger of BEC
BEC is a type of attack where criminals use deception and impersonation to compromise legitimate business or personal email accounts to conduct an unauthorized transfer of funds. BEC attacks are well known for causing major financial losses for companies and individuals. The rise in notoriety of ransomware has allowed BEC attackers to go under the radar while increasing the impact of their scams. The rise of social engineering in general as a successful tactic by cybercriminals is also adding to BEC‘s insidious and robust nature.
How Enterprises Can Respond to BEC
Security experts suggest that organizations will be forced to respond with even stronger security measures as the success of BEC continues. Continuous monitoring and assessment of internal security controls in real-time is recommended to detect control anomalies or failures that can lead to successful BEC incidents promptly. Generative AI, which BEC attackers are increasingly using to help them craft socially engineered messages, could also be leveraged by organizations to defend against attacks. Organizations should also strengthen workforce education efforts to help employees identify malicious messages.
Editorial: The Importance of Cybersecurity Education
The rise of BEC scams reflects the continued success of social engineering tactics. This highlights the need for robust cybersecurity education at every level of an enterprise, from employees to executives. Enterprises should implement cybersecurity training to help employees recognize suspicious messages or phishing campaigns and follow an organized threat response process. Collaboration between security, compliance and risk management teams can help to improve security and response times. Adequate knowledge and training are essential to protect enterprises and individuals from BEC scams.
Advice for Individuals: Protecting Against BEC Scams
Individuals should also be vigilant against BEC scams. An important step is to verify payment requests and high-risk activity with vendors and clients before transferring money. Suspicious emails should be reported to the IT department. It is also essential to validate the identity of the sender, verify the email domain, rather than relying on the name alone, and check the tone and writing style of the email. By taking these steps, individuals can help to avoid significant financial losses due to BEC attacks.
<< photo by Christina Morillo >>
You might want to read !
- The Vulnerability of Think Tanks and News Media to Kimsuky’s Social Engineering Attacks
- The Soaring Cost of Ransomware: How Social Engineering Exploits Are Doubling Breaches According to Verizon DBIR.
- Inside North Korea’s Social Engineering Techniques: Insights from US and South Korea
- Why Microsoft’s Critical Windows Vulnerabilities Should Be Taken Seriously: How to Secure Your Devices
- “Navigating the Intersection: Advice for Security Leaders Partnering with Cybersecurity Startups”
- The Importance of Patch Tuesday for Cybersecurity: Examining the Critical Flaws in Adobe Commerce Software.
- The Continuing Threat of Chinese Cyberspies: Latest Exploit Targets VMware ESXi Zero-Day
- Beware of Fake Reservation Links Targeting Exhausted Travelers