Beware of business email compromise (BEC), which has become more sophisticated and costing businesses over $50 billion in the past decade. According to the FBI, which released its latest report on BEC activity, the growth of business losses to BEC increased by 17% year-over-year in 2022. The agency noted that US businesses had lost over $17 billion to these scams between October 2013 and December 2022, while global businesses suffered nearly $51 billion over the same period.
Organisations’ increased awareness of and defence against BEC has not dampened cyber criminals’ enthusiasm for the attack, which has been prevalent for over a decade. One of the reasons for BEC’s continued dominance in the cyber threat landscape is because attackers have become increasingly effective in social-engineering messages to appear authentic to the user. Achieving legitimacy in the eyes of the victim is key to the scam’s success. To enhance their credibility, attackers are following physical events closely and aligning these events to leverage cyberspace.
For example, IC3’s report noted an uptick in BEC attacks on the real estate sector, which are attributed to struggles in the sector over the past year and a half. Concerns about commercial real estate have led to repurposing of cities and increased activity in residential real estate. This surge in BEC activity means that threat actors are seeking to take advantage of the sector’s difficulties.
BEC involves a deception that allows a cyber-criminal to compromise legitimate business or personal email accounts with a view to conducting an unauthorised transfer of funds or accessing personally identifiable information. This nature of BEC means that it creates massive financial losses not just for companies but also individuals. BEC incidence and costs have been rising steadily in recent years, with incidences doubling over 2022.
The rise of social engineering is also a contributing factor, and BEC attacks often rely on phoney trust established within social media profiles, email accounts and blogs. Such trust is often fostered by the creation of fake accounts. Social engineering attacks such as phishing and pretexting are becoming more complex and sophisticated, making it increasingly challenging for victims to identify these malicious campaigns and messages.
To prevent further losses and reduce BEC fraud, organisations must improve their human-factor security measures and reinforce workforce education to help employees identify malicious messaging. They must also consider implementing continuous monitoring and evaluation of their internal security controls in real-time to detect control anomalies that can lead to successful BEC incidents. Volovich, VP of compliance strategy at compliance firm Qmulos, recommends adoption of generative AI to help organisations identify social-engineering methods and reduce the risk of business email compromise.