Email security, Vulnerability Management

BEC attacks surged 81% in 2022, 98% employees failed to report threat

Laptops fill a table as part of a U.S. Transportation Command telework initiative at Scott Air Force Base, Illinois, April 15, 2020. USTRANSCOM’s Control, Communications and Cyber Systems Directorate were adding software and imaging laptops to issue to command members for official telework use to continue global mission operations while prote...

Business email compromise (BEC) attacks have increased by 81% in 2022 and 175% over the past two years, while 98% of employees failed to report the threat, according to Abnormal Security.

The security vendor's H1 2023 Email Threat Report reveals worrisome corporate security challenges associated with the workforce. Under the massive spike of BEC attacks, the median open rate for text-based BEC emails during the second half of 2022 reached 28%, with 15% of employees responding to malicious content.

When it comes to email attacks, human risk cannot be ignored. Attackers are increasingly innovating new social engineering tactics to lure employees into opening malicious emails and handing in sensitive information like providing login credentials and updating bank account information.

While BEC attacks target all levels of employees, the report found that 78% of attacks were read and replied to by entry-level sales associates. Industry-wise, employees in the transportation sector (16%) were most likely to respond to attacks, followed by automotive (9%) and healthcare (8%). The increased sense of urgency regarding maintaining operations and resolving issues quickly might explain the high response rate in the transportation sector, the report suggested.

To fundamentally mitigate the BEC threat, Abnormal Security CISO Mike Britton said companies should not entirely rely on the training of staffers. Instead, they should implement technological solutions.

"While employees have to be right 100% of the time, threat actors only need to be right once — and attackers know this," Britton said in the report.

"Because advanced email attacks like business email compromise and supply chain compromise exploit trusted email accounts and relationships, organizations need email security that can detect even small shifts in activity and content," he added. "By doing so, they can block these attacks before employees have to make a choice on whether to ready, reply to, or report them."

Despite the law enforcement efforts to disrupt BEC cybercrime operations worldwide, attackers made $2.4 billion globally in 2021 from attacks reported to the FBI, which is 49 times as much as reported ransomware's yield ($49.2 million) and takes up a third of total cybercrime gains ($6.9 billion).

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.