Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Connect Directly
E-Mail vvv

Business Email Compromise Costs Businesses More Than Ransomware

Ransomware gets the headlines, but business paid out $1.8 billion last year to resolve BEC issues, according to an FBI report.

It's readily apparent that ransomware — and its evolution into extortionware — is a critically serious threat. Cisco's Talos Incident Response team has seen it as dominating its responses for seven quarters in a row, and the ecosystem of initial access brokers, service providers, and monetization organizations is sophisticated, well integrated, and extremely effective. Added to that, the average ransomware demand has increased (according to Palo Alto's Crypsis IR Team) to more than $840,000, payments total more than $300,000, and in 2021 we've already seen the record payment demand of $10 million be dwarfed by the reported $50 million asked of Acer.

Related Content:

Business Email Compromise Attacks Involving MFA Bypass Increase

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: The CISO Life Is Half as Good

If you live in the cybersecurity news cycle, you could be forgiven for thinking that ransomware is the only threat. There is always a report of another victim, a new approach, or a new crew. The FBI's 2020 "Internet Crime Report" tells a very different story, however, with reported ransomware payments being extremely low, at under $30 million, with other forms of cybercrime dwarfing this number.

It's likely that this is low than reality, and a significant majority of the payments were paid via third parties or not reported — but it still pales beside business email compromise (BEC). Reported BEC numbers alone are over $1.8 billion for the US, and there's an additional $300 million in fraud that could be similarly attributed.

The Challenge
The good news is that extortionware now works like many other threats and moves through initial compromise, lateral movement, and privilege escalation. The actual encryption (and the associated data exfiltration and other pressure tactics) are simply the easy way to monetize a compromise. This means that organizations that build comprehensive strategies against modern extortionware are protected against many other potential compromises. Those that focus on only one aspect (recovering data, for instance) are left open to a classic data breach.

BEC, though, falls outside of this norm and requires a different focus. It is cyber-by-association — an attack against a person that is commonly delivered by electronic means and the focus is on creating action by deception. The attacks may involve payroll diversion, fake invoices to a supplier, efforts around mergers and acquisition, or many other techniques. The attack can be sourced from a spoofed email address or a compromised real address, or an attacker can insert themselves into a real conversation (switching to a different account) — and the attack may appear to (or be!) from another employee or a supplier. A compromised account is the most valuable because it will evade many protections by dint of being sourced on a legitimate and trusted email server.  

These attacks are not just the simple 419 scams of the 1990s anymore (though it's true that Agari's "Geography of BEC Report" estimates that 50% of BEC attacks originate in Nigeria). They are launched by sophisticated attackers, with mature and tested methodologies, and as FBI statistics show they are financially lucrative to these attackers — and correspondingly damaging to the victim. As defenders, they cannot be ignored. 

Law enforcement agencies are taking action. Last month, Nigerian authorities arrested 18 individuals on charges related to Internet fraud in the latest of a series of actions performed by the Nigerian Economic and Financial Crimes Commission. The attacks are continuing and remain effective — as defenders, we need to ensure our focus is broad enough to include these attacks.

BEC attacks are launched against people, but an effective defense will include technology and process as well as user training and awareness campaigns. From a process perspective, clear separation of duties and an ironbound adherence to requesting significant financial transfers can go a long way, especially in combination with training staff on the impact of the attack, how it could occur, and what the processes are for checking if a request is valid. Technology can help too — email fraud prevention solutions can help detect spoofed accounts (rather than just focusing on phishing), while strong authentication methods for risky individuals (which may include executives) can reduce the risk of an account compromise.

Just like the latest hot technology trend is not a silver bullet, extortionware isn't the only attack. Looking at risk is fundamental to security, and it's crucial to get a clear picture of the actual threats you face and their consequences.

Charlie Winckless is the Senior Director of Cybersecurity Solutions for Presidio, setting strategic direction both internally to Presidio and helping clients build digital trust. He is a cybersecurity veteran with over 20 years' experience in the field and cut his IT teeth at ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...