Report: Impact of BEC Attacks on US Companies Misunderstood

A new report asserts the impact of business email compromise incidents on U.S. companies is likely underestimated and misunderstood—and it shows that multifactor authentication and cybersecurity awareness programs may be the top two risk management controls to prevent BEC attacks.

A report from Guy Carpenter, the risk and reinsurance specialist and business of Marsh McLennan, analyzes Marsh’s claims database over the last five years. It identified more than 550 successful BEC events impacting Marsh clients with either a cyber or crime insurance policy, with the greatest number having a loss around 0.1% of the company revenue.

That ratio amounts to a $1 million loss for a company with $1 billion in revenue. Despite the considerable financial risk, the report found that only one large industry vendor has incorporated BEC as an explicit cyber peril into its models.

The report draws on data including stats in the FBI’s Internet Crime Complaint Center, which shows that between October 2013 and December 2022 there were 137,601 were victims of BEC crimes with a total dollar amount lost reaching $17.1 billion. Last year, the FBI reported 21,000 complaints related to BEC.

The report outlines some of the evolving tactics and techniques cyber criminals are using:

Email Spoofing: A tactic that forges a sender’s email address, making it appear as if the message originated from a trusted source within the recipient’s organization. This is typically facilitated by spoofing tools and techniques that allow attackers to manipulate email headers and disguise their true identities. By spoofing a sender’s address, attackers can bypass email authentication mechanisms and evade detection by security filters.

Domain Impersonation: This involves the creation of fraudulent email domains or the compromise of legitimate domains to lend credibility to BEC wire fraud schemes. Attackers often register domain names that resemble those of legitimate organizations or leverage subdomains of compromised domains to create email addresses that mimic trusted entities within an organization, enabling attackers can to deceive employees into believing fraudulent communications are legitimate.

Malware-Enabled Attacks: These attacks are a sophisticated variant of BEC wire fraud in which attackers leverage malicious software to compromise email accounts, exfiltrate sensitive information or facilitate fraudulent transactions. These attacks may involve the distribution of malware-laden email attachments or the exploitation of software vulnerabilities to gain unauthorized access to networks. Once installed, malware can enable attackers to monitor email communications, harvest login credentials and manipulate financial transactions,

The prevalence of BEC attacks range by industry. Retail trade topped the list with a high of 3.5% of companies falling victim to BEC attacks, followed by wholesale trade and education both at around 3%. The finance sector was at the low end of the list at 1.7% of companies.

Amounts recovered were 90% to 100% of the initial loss in roughly half the cases when funds are recovered. However, less than 25% of companies had any amount recovered, the report shows.

The report concludes that while BEC doesn’t often garner the notoriety of other cyber attacks, this form of crime “undeniably poses a significant cyber threat to companies worldwide.”

“While conventional wisdom may categorize BEC as a more attritional and frequency-driven threat, an analysis of the Marsh claims database reveals the severe financial implications that BEC events can entail,” the report states. “BEC events have resulted in significant losses for organizations, highlighting the need for heightened vigilance and proactive cybersecurity measures.”

Topics USA