What’s the most expensive cyberattack that businesses face today? If you said business email compromise (BEC) you’re right. The FBI IC3 2021 Internet Crime Report showed that BEC packed a powerful punch against U.S. businesses that year. BEC complainants to IC3 suffered $2,395,953,296 in losses in 2021, 28% higher than 2020’s record total of $1,866,642,107. These 10 facts about business email compromise can help you gain insight into the scope of this dangerous cyber risk for businesses.

10 Facts About Business Email Compromise That You’ve Got to Know:

1. Business email compromise schemes have caused at least $5.3 billion in total losses to approximately 24,000 enterprises in the U.S. in the last 3 years.

2. More than 70% of organizations have experienced a BEC attack.

3. The U.S. Federal Bureau of Investigation Internet Crime Complaint Center (FBI IC3) named business email compromise a cyberattack that is 64x worse for businesses than ransomware

4. Nearly 50% of all BEC attacks result from the spoofing of an individual’s identity.

5. 68% of BEC attempts involve spoofing an organization

6. 53% involve masquerading as a boss or executive in the target’s company

7. 66% of BEC attempts to address their target by name

8. 77% of organizations faced business email compromise attacks in 2021, up from 65% in 2020. That represented an 18% increase in BEC attacks.

9. BEC losses involving cryptocurrency achieved the highest numbers to date in 2021 with just over $40M in exposed losses.

10. Phishing/BEC/Smishing was responsible for the highest number of data compromises in H1 2022.

It pays to learn the facts about business email compromise and what it looks like in action.BEC scams often start with phishing. It’s an easy and cheap way for bad actors to get the ball rolling for most of today’s nastiest cyberattacks. Phishing is prevalent because it works, and employees are facing a flood of phishing threats every day. The number of recorded phishing attacks hit an all-time high in Q1 2022, with more than one million attacks in a quarter recorded for the first time. Phishing lures that are part of a BEC attack are often sophisticated, making it hard for employees to handle. An estimated 97% of employees cannot detect a sophisticated malicious message.

FBI IC3 Tips for Avoiding BEC

• Use secondary channels or two-factor authentication to verify requests for changes in account information.
• Ensure the URL in emails is associated with the business/individual it claims to be from.
• Be alert to hyperlinks that may contain misspellings of the actual domain name.
• Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
• Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
• Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
• Monitor your financial accounts regularly for irregularities, such as missing deposits.
• If you discover you are the victim of a fraud incident, immediately contact your financial institution to request a recall of funds. Regardless of the amount lost, file a complaint with www.ic3.gov or, for BEC/EAC victims, BEC.ic3.gov, as soon as possible.

One of the most effective weapons against phishing is regular security awareness training. This multi-benefit dynamo dramatically slashes employees’ chance to fall for a phishing lure. 80% of organizations in a study said that security awareness training reduced the possibility that a staffer would fall for phishing substantially. Ultimately researchers determined that although security awareness training doesn’t work overnight, it makes steady progress that holds up over time reducing a company’s phishing risk from 60% to 10% within the first 12 months.

Beyond training with videos and quizzes (the most effective type of security awareness training), training employees to resist the temptations of phishing lures using phishing simulations is an effective tactic. In a report by Microsoft, analysts determined that when employees receive simulated phishing training, they’re 50% less likely to fall for phishing.  People are more likely to learn and retain new knowledge by experience, and phishing simulations help employees hone their ability to spot red flags – and an estimated 90% of employees who receive more than five minutes of security awareness training every month are likely to know to divert suspicious messages to administrators or the IT team.

Source: ID Agent