BEC Attacks Cost Businesses $1.8B in 2019

According to the FBI’s 2019 Internet Crime Report, Business Email Compromise (BEC) attacks cost businesses $1.8B, with 94% of all data breaches originating from phishing attacks. Modern BEC attacks are becoming not only more common, but also more successful. The improved effectiveness of these attacks stems from hackers creating elaborate campaigns that cover tracks and evade signs of detection. To improve the success rate of their campaigns, cybercriminals are meticulously researching their target, its supply chains and users, leveraging company news and events, and tracking social media channels.

Although these attacks are a global threat across all industries, the financial sector is typically a primary target. According to the American International Group (AIG), BEC attacks are the top cause of cyber claims with the financial services industry accounting for 15% of all claims made in 2018. Whether they are the main target of the attack or a means to a target, banks are often pursued due to the large volume of phishing attempts they receive and numerous high-value transactions.

Criminals in general are typically interested in where the money is. Cyber criminals are no different. Instead of having to physically break into a bank like an old Hollywood style robbery movie, we are seeing an increase in cyber heists where the criminal does not have to physically break into a property to take any money away. This makes these heists much “safer” for the criminals and can be far more lucrative, as they are not only taking what is available at present.

Cybercriminals are often heavily armed with rich information about their targeted organisation and its supply chain. Taking a note that the vast majority of data breaches have originated from a BEC attack, it is not surprising that adversaries are crafting highly credible, targeted emails that are virtually indistinguishable from those sent by colleagues, clients, and suppliers we are communicating with on a daily basis.

As phishing attacks become more complex and sophisticated, it becomes harder for users to identify one when it lands in their inbox. Financial institutions, as well as businesses from all other industries, should be ensuring their brand, clients, supply chain, and internal users are protected against BEC attacks by reinforcing their email security posture. 

At Red Sift, we help our clients protect assets outside of their network by supporting them to implement the DMARC protocol. By closing the gap between what is provided by traditional email gateways and user awareness training, we empower users to quickly identify malicious emails and help to protect a company’s email domain. 

Click below to check your current email security hygiene.

PUBLISHED BY

Leo Do Carmo

19 Mar. 2020

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
Cybersecurity

Resilience Rising | Episode 3 with Kevin White

Red Sift

In this episode of Resilience Rising, Sean Costigan, Managing Director of Resilience Strategy at Red Sift, and Kevin White, Senior Operation Consultant with Enhanced Information Solutions, explore the critical intersection of wastewater management and cybersecurity.  The two highlight the health and operational impacts of cyber threats on water utilities, emphasizing the vulnerabilities due to…

Read more
Certificates

Your guide to PCI DSS 4.0 Cryptographic Requirements

Rebecca Warren

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework designed to protect cardholder data during processing, storage, and transmission by merchants and service providers. PCI DSS outlines a set of stringent security controls that organizations handling payment card information must implement to mitigate the risk of data breaches and…

Read more
Certificates

How to build an inventory of certificates for PCI DSS 4.0 Requirement…

Rebecca Warren

We talk to organizations daily that are preparing for PCI DSS 4.0 requirements. March 31, 2025 marks the end of the transition period, and on this date, businesses must be fully compliant with PCI DSS v4.0.1.  One of the ways PCI 4.0.1 varies from PCI 3.2 is an updated Requirement 4, which covers encrypting…

Read more
DMARC

Getting started with the OnDMARC API

Nadim Lahoud

The OnDMARC API is great for performing bulk or repetitive tasks that need to be performed quickly, often and without error – and you don’t need to be a developer or even know how to code to use it. Here, I will walk you through how to perform the common task of updating the…

Read more