FBI says business email compromise attacks have cost over $43B since 2016

Today, the FBI released a public service announcement revealing that business email compromise (BEC) attacks caused domestic and international losses of more than $43 billion between June 2016 to December 2021, with a 65% increase in losses between July 2019 and December 2021. 

BEC attacks have become one of the core techniques cybercriminals use to target an enterprise’s protected data and gain a foothold in a protected environment.

Research shows that 35% of the 43% of organizations that experienced a security incident in the last 12 months reported that BEC/phishing attacks account for more than 50% of the incidents.  

Many times, a hacker will target businesses and individuals with social engineering attempts and phishing scams to break into a user’s account to conduct unauthorized transfers of funds or to trick other users into handing over their personal information. 

Why are BEC attacks costing organizations so much? 

BEC attacks are popular among cybercriminals because they can target a single account and gain access to lots of information on their direct network, which can then be used to find new targets and manipulate other users. 

“We’re not shocked at the figure stated in the FBI Public Service Announcement. In fact, this number is likely low given that a large number of incidents of this nature go unreported and are swept under the rug,” said Andy Gill, a senior security consultant at Lares Consulting. 

“BEC attacks continue to be one of the most active attack methods utilized by criminals because they work. If they didn’t work as well as they do, the criminals would switch tactics to something with a larger ROI,” 

Gill notes that once an attacker gains access to an email inbox, usually with a phishing scam, they will start to search the inbox for “high-value threads”, such as discussions with suppliers or other individuals in the company to gather information so they can launch further attacks against employees or external parties. 

Mitigating these attacks is made more difficult by the fact that it’s not always easy to identify if there has been an intrusion, especially if the internal security team has limited resources. 

“Most organizations who become victims of BEC are not resourced internally to deal with incident response or digital forensics, so they typically require external support,” said Joseph Carson, security scientist and advisory CISO at Delinea. 

“Victims sometimes prefer not to report incidents if the amount is quite small, but those who fall for larger financial fraud BEC that amounts to thousands or even sometimes millions of U.S. dollars must report the incident in the hope that they could recoup some of the losses,” Carson said.  

The answer: privilege access management 

With BEC attacks on the rise, organizations are under increasing pressure to protect themselves, which is often easier said than done in the era of remote working. 

As more employees use personal and mobile devices for work which are outside the protection of traditional security tools, enterprises should be proactive in securing data from unauthorized access, by limiting the number of employees that have access to personal information. 

“A strong privileged access management (PAM) solution can help reduce the risk of BEC by adding additional security controls to sensitive privileged accounts along with multifactor Authentication (MFA) and continuous verification. It’s also important that cyber awareness training is a top priority and always practice identity proofing techniques to verify the source of the requests,” Carson said. 

Employing the principle of least privilege and enforcing it with privileged access management reduces the number of employees that cybercriminals can target with manipulation attempts, and makes it that much harder for them to access sensitive information.