Business email compromise (BEC) attacks have increased by 81% in 2022 and 175% over the past two years, while 98% of employees failed to report the threat, according to Abnormal Security.
The security vendor's H1 2023 Email Threat Report reveals worrisome corporate security challenges associated with the workforce. Under the massive spike of BEC attacks, the median open rate for text-based BEC emails during the second half of 2022 reached 28%, with 15% of employees responding to malicious content.
When it comes to email attacks, human risk cannot be ignored. Attackers are increasingly innovating new social engineering tactics to lure employees into opening malicious emails and handing in sensitive information like providing login credentials and updating bank account information.
While BEC attacks target all levels of employees, the report found that 78% of attacks were read and replied to by entry-level sales associates. Industry-wise, employees in the transportation sector (16%) were most likely to respond to attacks, followed by automotive (9%) and healthcare (8%). The increased sense of urgency regarding maintaining operations and resolving issues quickly might explain the high response rate in the transportation sector, the report suggested.
To fundamentally mitigate the BEC threat, Abnormal Security CISO Mike Britton said companies should not entirely rely on the training of staffers. Instead, they should implement technological solutions.
"While employees have to be right 100% of the time, threat actors only need to be right once — and attackers know this," Britton said in the report.
"Because advanced email attacks like business email compromise and supply chain compromise exploit trusted email accounts and relationships, organizations need email security that can detect even small shifts in activity and content," he added. "By doing so, they can block these attacks before employees have to make a choice on whether to ready, reply to, or report them."
Despite the law enforcement efforts to disrupt BEC cybercrime operations worldwide, attackers made $2.4 billion globally in 2021 from attacks reported to the FBI, which is 49 times as much as reported ransomware's yield ($49.2 million) and takes up a third of total cybercrime gains ($6.9 billion).