Proofpoint, Inc., a next-generation security and compliance company, has released new research into business email compromise (BEC) attacks that indicates an acceleration in their sophistication and velocity.
BEC attacks, which have cost businesses billions of dollars*, put every email-based relationship at risk. During an attack, cybercriminals pretend to be a company executive and send highly-targeted emails to employees to trick recipients into wiring money or sending sensitive information.
“Seventy-five per cent of our customers were hit with at least one attempted BEC attack in the last three months of 2016 – and it only takes one to cause significant damage,” said Ryan Kalember, senior vice president of Cybersecurity Strategy for Proofpoint.
“Our research shows static policies cannot keep up as attackers are constantly changing their socially-engineered messages. Organisations need detection, authentication, visibility, and data loss prevention to ensure they don’t fall victim.”
Proofpoint research of their 5000 enterprise customers between July and December 2016 (across its U.S., U.S., Canadian, UK, German, French, and Australian customer base) confirms cybercriminals are using social engineering to target and exploit victims.
The research reveals that BEC attacks increased by 45 per cent in the last three months of 2016 vs. the prior three months. Two-thirds of all BEC attacks spoofed their email address domain so that their fraudulent emails displayed the same domain as that of the company targeted in the attack.
SMEs are prone to BEC attacks
Proofpoint data indicates no correlation between the size of the company and BEC attack volume. While smaller companies may not yield the same returns as larger corporations, the relative absence of financial controls makes them more vulnerable.
Manufacturing, retail and technology companies are generally more targeted with BEC attacks. Hit repeatedly every month, cybercriminals look to take advantage of more complex supply chains and SaaS infrastructures which often accompany these industries.
Everyone in the business is vulnerable
While CEO impersonation continues in BEC attacks, cybercriminals are increasingly targeting victims deeper within organizations. There is a shift beyond simple fraudulent CEO-to-CFO BEC attacks to CEO-to-different employee groups. For example, to accounts payable for wire transfer fraud attempts, to human resources for confidential tax information and identities—and engineering for intellectual property theft.
More than 70 per cent of the most common BEC subject line families feature the words “Urgent” “Payment” and “Request.” The top seven subject line families include: payment (30 per cent), request (21 per cent), urgent (21 per cent), greeting (12 per cent), blank (nine per cent), FYI (five per cent), and, where are you? (two per cent).
*FBI. “Business Email Compromise: The 3.1 Billion Dollar Scam.” June 2016.
Inside Small Business
