Business email compromise (BEC) attacks are one of the most financially damaging cyber crimes and have been on the rise over the past year. This is according to GreatHorn report, which revealed that spoofed email accounts or websites were the most experienced form of a BEC attack as 71% of organizations acknowledged they had seen one over the past year. This is followed by spear phishing (69%) and malware (24%).
Data from 270 IT and cybersecurity professionals were collected to identify the latest enterprise adoption trends, gaps and solution preferences related to phishing attacks.
Spoofing identifiers to harvest credentials takes precedence
Nearly 50% of all BEC attacks result from the spoofing of an individual’s identity in the display name. Among those spear phishing emails, cybercriminals are also using company names (68%), names of individual targets (66%), and the name of boss/managers (53%) to conduct their attacks.
What makes BEC attacks so successful is the availability of basic personal information online, that can be used against an employee who might be suffering from screen or email fatigue – thus stealing credentials to gain access to confidential and important data.
Employees are more susceptible to clicking on malicious links after recognizing a familiar name or other relevant identifiers that could pertain to their job. 57% say that malicious links in phishing emails intend to steal credentials, giving cybercriminals full access to confidential information.
“The findings in this report confirm the industry trends we’ve seen over the past year. With the majority of organizations operating on a fully remote or hybrid work schedule, the floodgates for cybercriminals have been opened,” said Kevin O’Brien, CEO of GreatHorn.
“Cybercriminals want the keys to the castle, which they achieve by stealing credentials. To do so they often target C-suite and finance employees as they have the most privileged information available to access. However, no employee is immune to these attacks; they can appear in anyone’s inbox and all it takes is a momentary lapse in judgement from an unsuspecting party to compromise an organization’s security.”
Remote employees and finance departments hardest hit by BEC attacks
One of the largest factors that has played into the rise of BEC attacks and impersonation efforts is the continued remote work policies in place with the majority of organizations.
30% of organizations state that over 50% of links received via email lead to a malicious site, demonstrating the never ending assault on inboxes perpetrated by criminals. On top of that, respondents identified that their finance departments have the largest target on their backs as 34% said finance-related employees are the most frequent victims of spear-phishing attempts.
When employees return to physical offices, real person interactions may help reduce the number of successful phishing attacks as people can verify the legitimacy of an email in an easier fashion.
Additional key stats
- 43% of organizations have experienced a security incident in the last 12 months, with 35% stating that BEC/phishing attacks account for >50% of the incidents.
- 1 out of 4 organizations say 76-100% of malware they detect is delivered via email.
- In the current work from home environment, 39% of organizations say they experience spear phishing on a weekly cadence.
- 65% of IT security pros say their organization has experienced spear phishing in 2021, while 51% say it has increased in the last 12 months.
- The good news – 69% say that their organization is prepared to handle a cyberattack, and 71% believe their employees are prepared to identify a malicious email.