BEC Emails Increase 20% YoY; AI Used in 40% of Attacks
There has been a surge in business email compromise attacks in the past year and cybercriminals are increasingly using AI tools to craft their malicious emails, according to data from Vipre Security Group.
Business email compromise (BEC) is a form of social engineering involving spoofed or compromised email accounts, with the email accounts used for the scam often compromised through phishing. These attacks may seek sensitive information, but most commonly the aim is to trick individuals with responsibility for wire transfers into making fraudulent transfers to an attacker-controlled account. For example, a vendor’s email account is compromised and used to send messages to clients and ask them to change bank account information for an upcoming payment.
BEC is one of the costliest types of cybercrime. According to the Federal Bureau of Investigation (FBI) Internet Crime Report, $2.9 billion was lost to BEC scams in 2023 and 21,489 complaints about BEC attacks were received by its Internet Crime Complaint Center (IC3). Despite the increase in ransomware attacks, losses to BEC attacks were 48 times higher. Between October 2013 and December 2022, more than $50 billion has been lost to BEC scams. The losses to these scams can be colossal. INTERPOL recently announced that it successfully recovered almost $41 million that was stolen in a BEC attack from a Singapore-based commodity firm.
According to Vipre, around 1.8 billion emails were processed in Q2, 2024, 226.45 million spam emails were detected, and 49% of those emails used BEC lures, a 20% increase from Q2, 2023. Vipre took a sample of the BEC emails sent to its customers and analyzed them for content generated by AI tools including ZeroGPT, GPTZero, Sapling, Scribbr, and Quillbot, and determined that 40% of those emails had been created by AI tools.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
AI tools are being used to craft compelling phishing emails to compromise the accounts used in BEC attacks, and also to create the BEC emails themselves in the style of the legitimate account holder. Those emails are most commonly sent to CEOs and executives (87%), with HR and IT professionals the next most commonly targeted individuals. These figures show why it is vital to ensure that the C-Suite participates in security awareness training.
There have also been significant increases in other types of email attacks, with malicious links in emails up 74% year over year, with almost 17 million malicious links detected, and double the number of evasive malicious email attachments were detected in Q2, 2024 compared to Q2, 2023. Cybercriminals are increasingly leveraging AI for their BEC and phishing campaigns, and it is becoming harder to identify and block these threats, especially for end users as these emails often lack the typical red flags such as spelling errors and grammatical mistakes. The key to blocking these threats is to use AI-based email security solutions and tackle AI with AI.
