The incidence of business email compromise (BEC) has increased twofold and has now overtaken ransomware as the primary form of a financially-driven cyber-attack on organisations.
Recent research conducted by the SecureWorks Counter Threat Unit (CTU) has shown that despite the prevalent discussions on advanced AI-driven threats in the cybersecurity industry, the majority of actual security incidents start from more basic origins.
This highlights the importance for businesses to maintain good cyber hygiene practices to enhance their network defences.
This growth in BEC has been attributed to a surge in successful phishing campaigns, which account for 33 per cent of attacks where the initial access vector (IAV) could be identified. This is a significant increase from 13 per cent in 2021.
Cyber attackers, including cybercriminals and nation-states, are also exploiting vulnerabilities in internet-facing systems, accounting for a third of incidents where IAV could be established. These attackers typically do not need to use zero-day vulnerabilities but instead rely on publicly disclosed vulnerabilities like ProxyLogon, ProxyShell, and Log4Shell to target unpatched systems.
The number of ransomware incidents has decreased by 57 per cent, but it remains a significant threat. This decline may be due to a change in tactics and increased law enforcement activity in response to high-profile attacks like Colonial Pipeline and Kaseya.
Additionally, cyber gangs may be targeting smaller organisations, which are less likely to engage with incident responders and thus fall outside the scope of this report.
“Business email compromise requires little to no technical skill but can be extremely lucrative. Attackers can simultaneously phish multiple organisations looking for potential victims without needing to employ advanced skills or operate complicated affiliate models,” comments Mike McLellan, Director of Intelligence at Secureworks.
“Let’s be clear; cybercriminals are opportunistic — not targeted. Attackers still go around the parking lot and see which doors are unlocked. Bulk scanners will quickly show an attacker whose machines are not patched. If your internet-facing applications aren’t secured, you give them the kingdom keys.
“Once they are in, the clock starts ticking to stop an attacker from turning that intrusion to their advantage. Already in 2023, we’ve seen several high-profile cases of post-intrusion ransomware, which can be extremely disruptive and damaging,” McLellan continued.
What is Business Email Compromise?
Business Email Compromise is a type of cyber-attack where attackers use fraudulent emails or other types of social engineering techniques to impersonate a trusted entity, such as a senior executive or a supplier, to trick the recipient into performing a wire transfer or revealing sensitive information.
BEC attacks can be particularly damaging for SMEs (small and medium-sized enterprises) because they often have fewer resources to devote to cybersecurity and may be more vulnerable to social engineering tactics. Cybercriminals often target SMEs because they may have weaker security controls and may be less likely to have implemented robust cybersecurity measures.
BEC attacks often rely on spear phishing emails that are carefully crafted to appear legitimate and convince the victim to take a particular action, such as making a payment or revealing confidential data. BEC attacks are often financially motivated and can result in significant losses for organisations that fall victim to them.
What can SMEs do to protect?
There are several steps that SMEs can take to protect themselves against BEC attacks.
Here are some suggestions:
- Employee training: Provide regular training to your employees on how to recognise and respond to phishing emails. Educate them on the risks of BEC attacks and provide them with guidelines on how to verify the authenticity of emails and requests.
- Two-factor authentication: Implement two-factor authentication (2FA) for email accounts and other critical systems. This can help prevent unauthorised access even if an attacker has stolen login credentials.
- Email filters: Use email filters to block or flag suspicious emails. This can help prevent employees from falling for phishing emails that are designed to look legitimate. Vendor management: Implement strong vendor management practices and verify the identity of any vendors or suppliers before transferring funds or sensitive information.
- Account monitoring: Regularly monitor your financial accounts for any unusual activity, such as unexpected wire transfers or unauthorised access.
- Incident response plan: Develop an incident response plan that outlines the steps to take in case of a successful BEC attack. This should include procedures for reporting the incident, containing the damage, and restoring systems and data.
In cybersecurity, there has been an increase in hostile state-sponsored activity, as revealed by recent analyses, which indicate that 9% of incidents involved such activity – up from 6% in 2021.
The majority of these incidents, approximately 90%, were attributed to threat actors affiliated with China. On the other hand, financially motivated attacks accounted for the majority of incidents outside of state-sponsored activity, representing approximately 79% of the total sample.
However, this percentage is lower than in previous years and could potentially be linked to the Russia/Ukraine conflict which has disturbed cybercrime supply chains. For example, when files associated with the Conti ransomware group were leaked, the group required several months to recover and reconfigure, which could have had an impact on the overall decrease in ransomware incidents.
“Government-sponsored threat actors have a different purpose to those who are financially motivated, but the tools and techniques they use are often the same. For instance, Chinese threat actors were detected deploying ransomware as a smokescreen for espionage. The intent is different, but the ransomware itself isn’t. The same is true for the initial access vector (IAVs); it’s all about getting a foot in the door in the quickest and easiest way possible, no matter which group you belong to,” continues McLellan.
“Once a state-sponsored actor is through that door, they are very hard to detect and even harder to evict. As states such as China, Russia, Iran, and North Korea continue to use cyber to advance their countries’ economic and political goals, it is even more important that businesses get the right controls and resources in place to protect, detect, and remediate attacks.”
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.