Phishing attacks have become a prevalent method for threat actors to profit financially, and security experts are issuing a warning about the ongoing threat of Business Email Compromise (BEC) attacks. According to Cloudflare’s 2023 Phishing Threats Report, there has been a 17% increase in BEC-related financial losses between December 2021 and 2022, indicating that threat actors are increasingly relying on this attack method to target organizations.
The report also revealed that nearly three-quarters (71%) of respondents experienced attempted or successful BEC attacks in 2022. Matthew Prince, CEO at Cloudflare, commented on the severity of the situation, stating, “Phishing is an epidemic that has permeated into the farthest corners of the internet, preying on trust and victimizing everyone from CEOs to government officials to the everyday consumer. Email messages and malicious links are nefarious partners in crime when it comes to the most common form of internet threats.”
In terms of financial losses, BEC attacks have far surpassed those caused by ransomware attacks. Over the past decade, BEC attacks have resulted in losses exceeding $51 billion, demonstrating the lucrative nature of this method for threat actors. In comparison, ransomware attacks led to losses of over $34.3 million for businesses in 2022, based on 2,385 recorded complaints. However, BEC attack complaints reached over 21,800, with businesses incurring losses exceeding $2.7 billion during the same period.
Research shows that BEC-related losses can occur through various methods, such as attackers posing as clients or partner organizations and requesting payment for services. For instance, in 2020, FBI statistics revealed that over 13,000 individuals fell victim to real estate wire fraud through BEC attacks, resulting in losses exceeding $213 million. Additionally, during the COVID-19 pandemic, cyber criminals managed to deceive German health officials into transferring over €14.7 million in funds for fake PPE contracts.
So how do BEC attacks work? They are a type of phishing attack wherein threat actors aim to deceive individuals into revealing sensitive company information or transferring funds for business purposes. These attackers typically send correspondence that appears legitimate but contains links to fake websites or disguised malicious attachments. BEC attacks often target senior decision-makers or individuals in positions of power within organizations. Threat actors utilize publicly available information, such as details from social media profiles, to establish a rapport with their target and appear credible. Cloudflare highlights that BEC attacks rely on a “deep understanding” of a target’s email behavior and business practices, which distinguishes them from traditional indiscriminate phishing methods.
The study also found that attackers increasingly target client organizations and supply chain partners to carry out BEC attacks.