FBI says Business Email Compromise attacks have cost over $43 billion since 2016

Today, the FBI released a public service announcement revealing that Business Email Compromise (BEC) attacks caused domestic and international losses of over $43 billion between June 2016 to December 2021, with a 65% increase in losses between July 2019 and December 2021. 

BEC attacks have become one of the core techniques cybercriminals use to target enterprise’s protected data and gain a foothold in a protected environment.

Research shows that 35% of the 43% of organizations that experienced a security incident in the last 12 months reported that BEC/phishing attacks account for more than 50% of the incidents.  

In many of these attacks, a hacker will target businesses and individuals with social engineering attempts and phishing scams to break into a user’s account to conduct unauthorized transfers of funds or to trick other users into handing over their personal information. 

Why are BEC attacks costing organizations so much? 

BEC attacks are popular among cyber criminals because they know they can target a single account and gain access to lots of information on their direct network, which they can use to find new targets and manipulate other users. 

“We’re not shocked at the figure stated in the FBI Public Service Announcement. In fact, this number is likely low given that a large number of incidents of this nature go unreported and are swept under the rug,” said Senior Security Consultant at LARES Consulting, Andy Gill. 

“BEC attacks continue to be one of the most active attack methods utilized by criminals because they work. If they didn’t work as well as they do, the criminals would switch tactics to something with a larger ROI,” 

Gill notes that once an attacker gains access to an email inbox, usually with a phishing scam, they will start to search the inbox for “high-value threads”, such as discussions with suppliers or other individuals in the company to gather information so they can launch further attacks against employees or external parties. 

Mitigating these attacks is made more difficult by the fact it’s not always easy to identify there’s been an intrusion, especially if the internal security team has limited security resources. 

“Most organizations who become victims of BEC are not resourced internally to deal with incident response or digital forensics so they typically require external support,” said Chief Security Scientist and Advisory CISO Delinea, Joseph Carson. 

“Victims sometimes prefer not to report incidents if the amount is quite small but those who fall for larger financial fraud BEC that amounts to thousands or even sometimes millions of US dollars must report the incident in the hope that they could recoup some of the losses,” Carson said.  

The answer: privilege access management 

With BEC attacks on the rise, organizations are under increasing pressure to protect themselves, which is often easier said than done in the era of remote working. 

As more employees use personal and mobile devices for work which are outside the protection of traditional security tools, enterprises need to be much more proactive in securing data from unauthorized access, by limiting the number of employees that have access to personal information. 

“A strong privileged access management (PAM) solution can help reduce the risk of BEC by adding additional security controls to sensitive privileged accounts along with Multi-Factor Authentication (MFA) and continuous verification. It’s also important that cyber awareness training is a top priority and always practice identity proofing techniques to verify the source of the requests,” Carson said. 

Employing the principle of least privilege and enforcing it with privileged access management reduces the amount of employees that cyber criminals can target with manipulation attempts, and makes it that much harder for them to access sensitive information.