A visitor tries out a smartphone at a consumer electronics and appliances trade fair. (Photo by Sean Gallup/Getty Images)

As financial institutions have become a greater target for cybercriminals, business email compromise (BEC) has become a more significant issue for banks, investment firms and other financial firms.

According to the FBI, BEC cost $43 billion globally between June 2016 and December 2021. BEC and phishing attacks have targeted funds by exploiting social engineering tactics to have victims initiate bank transfers to cybercriminals. In an FBI public service announcement, the organization shared that the Internet Crime Complaint Center (IC3) has viewed an uptick in BEC complaints involving cryptocurrency.

The banking industry made up 11% of targets for phishing attacks in 2021, and other financial sector players remained top targets as well, with e-commerce making up 17% of phishing targets.

“As business email compromise and socially engineered attacks proliferate,” said DJ Sampath, CEO Armorblox, “the financial industry is faced with a set of challenges that make them uniquely vulnerable to these kinds of advanced threats.”

Sampath offered this guidance to financial institutions and financial technology companies looking to mitigate BEC risk:

  1. Email communications frequently exchange information about invoices and requests for wire transfers. Knowing this, attackers target employees at financial firms with attacks that spoof these commonly known business workflows.
  2. With a large focus on customer satisfaction, employees at financial firms are naturally inclined to respond fast to questions and inquiries. This makes them vulnerable to complying with socially engineered email attacks that use language as the main attack vector — we see this with VIP impersonation and recon email attacks.
  3. Financial firms have access to sensitive information about high-net-worth individuals, making them at the receiving end of a high volume of account compromise attempts. Even when an organization might have a strong email security defense, attackers can still compromise them through vendors, suppliers, distributors, or other entities that they work with.