Business email compromise scams are now the leading cause of cyberattack-related losses. Billion are being lost each year and there are no signs of the attacks abating. In fact, it has been predicted that the number of attacks and losses will continue to increase.

Around 1% of global GDP is lost to cybercrime each year and that figure is increasing rapidly. Currently, around $600 billion is lost each year to cybercrime. A FinCEN report from July 2018 shows that suspicious activity report (SAR) filings have increased from $110 million per month in 2016 to $301 million per month in 2018 and Cybersecurity Ventures predicts losses will increase to $6 trillion globally by 2021. According to the FBI, more than $1.2 billion was lost to business email compromise scams in the United States alone in 2018.

Business email compromise (BEC) scams involve the impersonation of an executive or other individual, whose compromise email account is used to send fraudulent wire transfer requests. A variation sees a business associate of the company spoofed and requests sent demanding outstanding involves be paid.  The latter is now more common than attacks spoofing the CEO.

BEC attacks usually start with a spear phishing attack to obtain email account credentials. Once email credentials are compromised, the account is used to send messages to other individuals in the organization, such as employees in the payroll, HR, or finance department. Since the emails come from a trusted source within the organization and the wire transfer requests are not unusual, payment is often made.

A successful attack can see sizable wire transfers made to accounts controlled by the attackers. Payments are often for tens of thousands of dollars or, in some cases, millions of dollars. A recent attack on a subsidiary of the car manufacturer Toyota Boshoku Corporation saw a fraudulent transfer of $37 million made to the attackers.

While that incident stands out due to the scale of the loss, fraudulent transfers of millions of dollars are far from unusual. In many cases, only a small percentage of the transferred funds are recovered. Since these attacks can be extremely profitable, it is no surprise that the so many cybercriminal gangs are getting in on the act and are conducting campaigns.

A new report from the insurer AIG shows BEC attacks are now the leading reason for cybersecurity-related insurance claims, having overtaken ransomware attacks for the first time. 23% of all cyberattack-related claims are due to BEC scams.

In the most part, these BEC attacks can be prevented with basic cybersecurity measures. AIG attributes the rise in claims to poor security measures at the targeted organizations. Investigations have uncovered numerous basic cybersecurity failures such as not providing security awareness training to employees, the failure to enforce the use of strong passwords, no multi-factor authentication, and poor email security controls.

If businesses fail to implement these basic cybersecurity measures, attacks are inevitable. Cyber-insurance policies may cover some of the losses, but many SMBs will not be in a position to make a claim. For them, BEC attacks can be catastrophic.

If you run a business and are concerned about your defenses against phishing, spear phishing, and BEC attacks, contact TitanHQ to find out more about effective cybersecurity solutions that can block BEC attacks.