Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Connect Directly
E-Mail vvv

Business Email Compromise Costs Businesses More Than Ransomware

Ransomware gets the headlines, but business paid out $1.8 billion last year to resolve BEC issues, according to an FBI report.

It's readily apparent that ransomware — and its evolution into extortionware — is a critically serious threat. Cisco's Talos Incident Response team has seen it as dominating its responses for seven quarters in a row, and the ecosystem of initial access brokers, service providers, and monetization organizations is sophisticated, well integrated, and extremely effective. Added to that, the average ransomware demand has increased (according to Palo Alto's Crypsis IR Team) to more than $840,000, payments total more than $300,000, and in 2021 we've already seen the record payment demand of $10 million be dwarfed by the reported $50 million asked of Acer.

Related Content:

Business Email Compromise Attacks Involving MFA Bypass Increase

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: The CISO Life Is Half as Good

If you live in the cybersecurity news cycle, you could be forgiven for thinking that ransomware is the only threat. There is always a report of another victim, a new approach, or a new crew. The FBI's 2020 "Internet Crime Report" tells a very different story, however, with reported ransomware payments being extremely low, at under $30 million, with other forms of cybercrime dwarfing this number.

It's likely that this is low than reality, and a significant majority of the payments were paid via third parties or not reported — but it still pales beside business email compromise (BEC). Reported BEC numbers alone are over $1.8 billion for the US, and there's an additional $300 million in fraud that could be similarly attributed.

The Challenge
The good news is that extortionware now works like many other threats and moves through initial compromise, lateral movement, and privilege escalation. The actual encryption (and the associated data exfiltration and other pressure tactics) are simply the easy way to monetize a compromise. This means that organizations that build comprehensive strategies against modern extortionware are protected against many other potential compromises. Those that focus on only one aspect (recovering data, for instance) are left open to a classic data breach.

BEC, though, falls outside of this norm and requires a different focus. It is cyber-by-association — an attack against a person that is commonly delivered by electronic means and the focus is on creating action by deception. The attacks may involve payroll diversion, fake invoices to a supplier, efforts around mergers and acquisition, or many other techniques. The attack can be sourced from a spoofed email address or a compromised real address, or an attacker can insert themselves into a real conversation (switching to a different account) — and the attack may appear to (or be!) from another employee or a supplier. A compromised account is the most valuable because it will evade many protections by dint of being sourced on a legitimate and trusted email server.  

These attacks are not just the simple 419 scams of the 1990s anymore (though it's true that Agari's "Geography of BEC Report" estimates that 50% of BEC attacks originate in Nigeria). They are launched by sophisticated attackers, with mature and tested methodologies, and as FBI statistics show they are financially lucrative to these attackers — and correspondingly damaging to the victim. As defenders, they cannot be ignored. 

Law enforcement agencies are taking action. Last month, Nigerian authorities arrested 18 individuals on charges related to Internet fraud in the latest of a series of actions performed by the Nigerian Economic and Financial Crimes Commission. The attacks are continuing and remain effective — as defenders, we need to ensure our focus is broad enough to include these attacks.

BEC attacks are launched against people, but an effective defense will include technology and process as well as user training and awareness campaigns. From a process perspective, clear separation of duties and an ironbound adherence to requesting significant financial transfers can go a long way, especially in combination with training staff on the impact of the attack, how it could occur, and what the processes are for checking if a request is valid. Technology can help too — email fraud prevention solutions can help detect spoofed accounts (rather than just focusing on phishing), while strong authentication methods for risky individuals (which may include executives) can reduce the risk of an account compromise.

Just like the latest hot technology trend is not a silver bullet, extortionware isn't the only attack. Looking at risk is fundamental to security, and it's crucial to get a clear picture of the actual threats you face and their consequences.

Charlie Winckless is the Senior Director of Cybersecurity Solutions for Presidio, setting strategic direction both internally to Presidio and helping clients build digital trust. He is a cybersecurity veteran with over 20 years' experience in the field and cut his IT teeth at ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-12-03
A vulnerability was found in SourceCodester Book Store Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /hrm/employeeadd.php. The manipulation of the argument empid leads to sql injection. The attack may be initiated remotely. The exploit h...
PUBLISHED: 2022-12-03
A vulnerability classified as problematic has been found in SourceCodester Human Resource Management System 1.0. Affected is an unknown function of the file /hrm/employeeview.php. The manipulation of the argument search leads to cross site scripting. It is possible to launch the attack remotely. The...
PUBLISHED: 2022-12-03
A vulnerability, which was classified as problematic, has been found in Dot Tech Smart Campus System. Affected by this issue is some unknown functionality of the file /services/Card/findUser. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been ...
PUBLISHED: 2022-12-03
A vulnerability was found in Shaoxing Background Management System. It has been declared as critical. This vulnerability affects unknown code of the file /Default/Bd. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to t...
PUBLISHED: 2022-12-03
A vulnerability has been found in House Rental System and classified as critical. Affected by this vulnerability is an unknown functionality of the file search-property.php of the component POST Request Handler. The manipulation of the argument search_property leads to sql injection. The attack can ...