Almost all organisations are being peppered with phishing emails – also known as business email compromise (BEC) scams – intended to hook unwary executives.
That’s according to a survey by security firm Agari, which claims that the losses in the US alone run to $5.3 billion between 2013 and 2016.
Between June 2017 and December 2018, the company claims that 96 per cent of businesses in the US were targeted with a BEC attack.
The typical organisation would be subject to as many as 45 different BEC campaigns in this timeframe, and these attacks are so hard to detect because they vary in form. They often use spoof domains and display name deception to deceive companies.
In terms of numbers, 81 per cent of BEC campaigns used deceptive display names; 12 per cent domain consisted of spoofing; and seven per cent resorted to genuine-looking domains.
However, unlike phishing and non-phishing attacks, BEC attacks do not usually sport attached documents or links to malicious websites. Although companies are aware of these attacks, the majority of business IT systems are unable to fend them off.
Markus Jakobsson, chief scientist at Agari, said that businesses struggle to fend-off BEC and phishing emails because they often lack an identifiable threat that an automated tool can spot.
“BEC is a particularly effective attack vector because its lack of payload makes it nearly impossible for conventional email security solutions to detect and prevent,” he said.
“At its core, business email compromise is a social engineering attack that leverages familiarity, authority and trust, which can result in billions of dollars of losses to businesses.”
Tim Helming, director of product management at DomainTools, said firms need to be more wary with the emails they receive and understand that cyber crooks are using more deceptive techniques nowadays.
“Cybersecurity professionals will be unsurprised by the volume of BEC/CEO scams recorded by this survey, but it serves as a welcome reminder to make sure that regardless of whether an email appears to be internal or external, it can still be malicious,” he said.
“Cyber criminals are increasingly getting wise to the general public’s awareness regarding blanket phishing scams, and are taking the time to adjust their tactics accordingly- which the 5.3 billion in exposed losses suggests is working.”
He urged companies to “double check all and any emails before acting upon any of the content, particularly regarding financial transfers or decisions”.
Helming said: “Carefully check the sender’s email address, and if something seems unusual in their writing style, email format or request, take note of it and seek confirmation from the internal party via phone, in person, or via a new email thread.
“It’s better to slow down a legitimate request than to comply with a fraudulent one.”