Business Email Compromise (BEC) Attacks Persist 

Email security is often overlooked on a macro level, even as business email compromise (BEC) attacks continue to pose a critical threat to business operations.

Reports from Abnormal Security and At-Bay revealed the extent of the risk—Abnormal’s report revealed the median open rate for text-based BEC attacks was nearly 28%.

The survey also found more than a third (36%) of replies were initiated by employees who had previously engaged with an earlier attack.

The At-Bay report, based on an investigation of 50,000 small to medium-sized businesses over a four-year span from 2018 to 2022, concluded email is still the most critical gap in the perimeter for all businesses regardless of size, industry or security maturity.

Despite email security adoption increasing among most mid-to-small sized businesses, email attacks continue to persist.

Vendor Selection Can Impact Email Security

The research also indicates how important vendor selection is to the email security process, with a significant 55% difference in the claims frequency separating the best and worst email security solutions in At-Bays’s report.

These results indicated security leaders should carefully consider their criteria for evaluating solutions and pay closer attention to the metrics that matter the most, including the likely potential for loss and severity of the risk.

The study recommends businesses take the proper precautions to ensure their long-term financial health.

Adam Tyra, general manager of security services for At-Bay, explained that email is almost always an afterthought for business owners and employees alike.

“It’s used so frequently that many operate under the assumption it’s a safe, secure vector within their business,” he said. “Fraud threats over email are not easily spotted, and these same threats don’t present themselves to businesses as a whole; instead, they target people on an individual level.”

From his perspective, the risk is two-pronged: People who are targeted by fraudsters via email often don’t understand they’re being targeted at all, while the current status quo has led many to believe that email security protocols are strict enough as is.

“We need to shift our mindset to help people understand what these attacks look like and to empower businesses to strengthen their security protocols,” he said. 

BEC and Remote Work

Like most business functions, distributed, remote and hybrid work have complicated email security due to a lack of in-person communication.

Phishing and related scams carry increased risks in a remote-first world, as workers are often the first (if not the only) line of defense in ensuring scams are being reported rather than engaged with.

“On top of that, discerning real communication from a potential threat is getting harder as fraudsters become more advanced,” Tyra says. 

Right off the bat, there are two key precautions businesses should take to better secure their email operations.

“First and foremost, business leaders should prioritize choosing a cloud-based email provider, as our claims data suggests that cloud-based providers are more secure than on-premises providers,” he said.

For example, among the email configurations At-Bay’s actuary team analyzed for their research report, companies using Google Workspace—a cloud-based email provider—were found to experience 41% fewer incidents on average.

Beyond choosing a cloud-based email provider, businesses can also add a further layer of protection by choosing best-in-class email security solutions to help identify and prevent attacks before they happen.

According to the research, pairing solutions such as Mimecast with a provider can reduce email incidents by up to 22%.

Combining these two layers of security can save businesses up to 50% on insurance premium prices, as well.

“This further proves the value of implementing tech solutions that pre-emptively stamp out fraud attacks,” Tyra said, adding that fraudsters are very fluid in the way they conduct their business, moving to vectors where point-of-entry is easier, and they can reap the benefits financially.

“As they continue to become smarter and more advanced, security postures must become more comprehensive in identifying and preventing fraud attacks before they happen,” he explained. 

Mika Aalto, co-founder and CEO at Hoxhunt, cautioned that BEC attacks will always be around as long as they remain profitable.

“Remember, cybercrime and cybercrime-as-a-service is a trillion-dollar industry fueled by phishing, and BEC is the leading source of email-based attacks,” he said.

From his perspective, their continued profitability proves that employee cybersecurity behavior is neglected and mismanaged by the compliance-based approach to security awareness.

Aalto said that security culture needs a reformation that begins with transforming the human layer into an asset which, when empowered by the right training and platform, augments the protect-detect-respond pillars of the NIST framework.

“Taking a risk-based approach to cybersecurity is the best way to sustainably improve an organizations posture against BEC attacks,” he said.

Aalto pointed out the majority of data breaches contain the human element, mostly email, and yet security awareness and phishing training programs are outdated, compliance-based, and typically constitute a small percentage of awareness budgets.

“Because most attacks start with people, security and risk management strategy must as well,” he explained. “Organizations need to install the training, processes, and technologies necessary for catching the sophisticated attacks that technical perimeters will always miss, no matter how much money is poured into them.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 302 posts and counting.See all posts by nathan-eddy