28% BEC Emails are Opened and 15% Get a Reply
Business Email Compromise scams are the biggest cause of losses to cybercrime. Over the past 5 years, more than $43 billion has been lost to the scams, according to the FBI’s Internet Crime Complaint Center (IC3). In its March 2022 report, the FBI said IC3 had received reports of $2.4 billion in losses to BEC attacks in the last year across almost 20,000 reported attacks, and attacks are continuing to increase. According to a new study by Abnormal Security, between H1 and H2 2022, there was an 81% increase in BEC attacks and a 147% increase in BEC attacks on small businesses over that same period. There are no signs of the attacks slowing, and in all likelihood, they will continue to increase.
BEC attacks target human weaknesses. The attackers use social engineering techniques to trick employees into making fraudulent wire transfers, changing bank account information for upcoming vendor payments, changing direct deposit information for employees, purchasing gift cards, and disclosing sensitive data. As with phishing attacks, fear and urgency are used to get employees to respond quickly without verifying the legitimacy of the request. These attacks typically use a compromised email account or the sender is spoofed, and that individual is impersonated. Many employees open these emails and an alarming percentage reply and engage with the scammers.
Email-based attacks, such as BEC, phishing, extortion, scams, and malware continue to increase. According to Abnormal Security, email attack volume increased by 22% overall, rising from an average of 85.13 attacks per 1,000 mailboxes in H1 2022 to 104.04 attacks per 1,000 mailboxes in H2 2022. While the increase in attacks is a cause of concern, more worrying is the number of employees that engage with the attackers and fail to identify and report email threats.
Abnormal Security monitored the email environments of hundreds of organizations between July and December 2022 and found the median open rate for text-based BEC attacks was 28% and the average read rate was 20%. While opening and reading these emails does not necessarily mean that the employee will ultimately be fooled by the scam, on average, 15% of the malicious emails were replied to.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Abnormal Security reports that while only 0.28% of employees engaged with more than one attack, more than one-third of replies were initiated by employees who had previously engaged with a scammer in an earlier attack. This could indicate a lack of training in response to the first attack to the failure of the employees to take their training on board. It is also possible that certain employees are targeted frequently due to their role in the organization, and the more BEC emails an individual receives, the greater the chance that they will eventually mistake an attack for a legitimate email request.
While employees in transportation were the most likely to reply to these attacks, the reply rates were also high in healthcare, which ranked third with a reply rate of 8.22%. Abnormal Security suggests the healthcare industry is particularly susceptible to these types of attacks, as the industry attracts people who have a strong desire to help others and there is often a high turnover rate in hospitals and large health systems, making it more likely that employees would not know their colleagues personally, which makes impersonation much easier.
The study also revealed an alarmingly low reporting rate for these emails. On average, only 2.1% of all known attacks are reported by employees to their security teams, and the majority of messages that are reported to the security team – 84% – are not malicious. The findings of the study highlight the importance of conducting ongoing security awareness training, with a strong emphasis on phishing and BEC attacks. Organizations should also consider conducting phishing and BEC attack simulations, as the data from these simulations indicate that this is one of the most effective ways of training. Organizations should make it as easy as possible for employees to report potential threats and reporting should be encouraged. A mail client add-on that allows single-click reporting of potentially malicious emails should be considered.
As Abnormal Security points out, even with training, employees are likely to make mistakes, so the best defense is to ensure that these malicious emails are blocked and do not land in inboxes, which means upgrading from a traditional email security solution to one that incorporates machine learning/AI algorithms capable of detecting small anomalies in email content.
“Because advanced email attacks like business email compromise and supply chain compromise exploit trusted email accounts and relationships, organizations need email security that can detect even small shifts in activity and content,” explained Abnormal Security in the report. “The most effective email security platforms baseline known-good behavior across employees and vendors, and then detect and remediate malicious emails in milliseconds to prevent end-user engagement.
