Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Connect Directly
E-Mail vvv

Business Email Compromise Costs Businesses More Than Ransomware

Ransomware gets the headlines, but business paid out $1.8 billion last year to resolve BEC issues, according to an FBI report.

It's readily apparent that ransomware — and its evolution into extortionware — is a critically serious threat. Cisco's Talos Incident Response team has seen it as dominating its responses for seven quarters in a row, and the ecosystem of initial access brokers, service providers, and monetization organizations is sophisticated, well integrated, and extremely effective. Added to that, the average ransomware demand has increased (according to Palo Alto's Crypsis IR Team) to more than $840,000, payments total more than $300,000, and in 2021 we've already seen the record payment demand of $10 million be dwarfed by the reported $50 million asked of Acer.

Related Content:

Business Email Compromise Attacks Involving MFA Bypass Increase

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: The CISO Life Is Half as Good

If you live in the cybersecurity news cycle, you could be forgiven for thinking that ransomware is the only threat. There is always a report of another victim, a new approach, or a new crew. The FBI's 2020 "Internet Crime Report" tells a very different story, however, with reported ransomware payments being extremely low, at under $30 million, with other forms of cybercrime dwarfing this number.

It's likely that this is low than reality, and a significant majority of the payments were paid via third parties or not reported — but it still pales beside business email compromise (BEC). Reported BEC numbers alone are over $1.8 billion for the US, and there's an additional $300 million in fraud that could be similarly attributed.

The Challenge
The good news is that extortionware now works like many other threats and moves through initial compromise, lateral movement, and privilege escalation. The actual encryption (and the associated data exfiltration and other pressure tactics) are simply the easy way to monetize a compromise. This means that organizations that build comprehensive strategies against modern extortionware are protected against many other potential compromises. Those that focus on only one aspect (recovering data, for instance) are left open to a classic data breach.

BEC, though, falls outside of this norm and requires a different focus. It is cyber-by-association — an attack against a person that is commonly delivered by electronic means and the focus is on creating action by deception. The attacks may involve payroll diversion, fake invoices to a supplier, efforts around mergers and acquisition, or many other techniques. The attack can be sourced from a spoofed email address or a compromised real address, or an attacker can insert themselves into a real conversation (switching to a different account) — and the attack may appear to (or be!) from another employee or a supplier. A compromised account is the most valuable because it will evade many protections by dint of being sourced on a legitimate and trusted email server.  

These attacks are not just the simple 419 scams of the 1990s anymore (though it's true that Agari's "Geography of BEC Report" estimates that 50% of BEC attacks originate in Nigeria). They are launched by sophisticated attackers, with mature and tested methodologies, and as FBI statistics show they are financially lucrative to these attackers — and correspondingly damaging to the victim. As defenders, they cannot be ignored. 

Law enforcement agencies are taking action. Last month, Nigerian authorities arrested 18 individuals on charges related to Internet fraud in the latest of a series of actions performed by the Nigerian Economic and Financial Crimes Commission. The attacks are continuing and remain effective — as defenders, we need to ensure our focus is broad enough to include these attacks.

BEC attacks are launched against people, but an effective defense will include technology and process as well as user training and awareness campaigns. From a process perspective, clear separation of duties and an ironbound adherence to requesting significant financial transfers can go a long way, especially in combination with training staff on the impact of the attack, how it could occur, and what the processes are for checking if a request is valid. Technology can help too — email fraud prevention solutions can help detect spoofed accounts (rather than just focusing on phishing), while strong authentication methods for risky individuals (which may include executives) can reduce the risk of an account compromise.

Just like the latest hot technology trend is not a silver bullet, extortionware isn't the only attack. Looking at risk is fundamental to security, and it's crucial to get a clear picture of the actual threats you face and their consequences.

Charlie Winckless is the Senior Director of Cybersecurity Solutions for Presidio, setting strategic direction both internally to Presidio and helping clients build digital trust. He is a cybersecurity veteran with over 20 years' experience in the field and cut his IT teeth at ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-04
There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python drivers in addition ...
PUBLISHED: 2023-02-04
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling Ap...
PUBLISHED: 2023-02-04
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
PUBLISHED: 2023-02-04
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1.
PUBLISHED: 2023-02-04
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to v1.5.1.