According to the FBI, business email compromise attacks have cost over $43 billion since 2016

Today, the FBI released a public filing showing that BEC (Business Email Compromise) attacks caused over $43 billion in domestic and international losses between June 2016 and December 2021, with losses between July 2019 and December 2021 increased by 65%.

BEC attacks have become one of the core techniques cybercriminals use to target protected corporate data and gain a foothold in a protected environment.

Research shows that 35% of the 43% of organizations that experienced a security incident in the last 12 months reported that BEC/phishing attacks accounted for more than 50% of incidents.

In many of these attacks, a hacker targets companies and individuals with social engineering attempts and phishing scams to break into a user’s account to perform unauthorized money transfers or trick other users into giving up their personal information.

Why do BEC attacks cost businesses so much?

BEC attacks are popular with cyber criminals because they know they can target a single account and gain access to a lot of information on their direct network that they can use to find new targets and manipulate other users.

“We are not shocked by the number given in the FBI’s public service announcement. In fact, that number is probably low given that a large number of incidents of this nature go unreported and swept under the rug,” said Andy Gill, Senior Security Consultant at LARES Consulting.

“BEC attacks remain one of the most active attack vectors used by criminals because they work. If they don’t perform as well as they do, the criminals would switch their tactics to something with a higher ROI.”

Gill notes that once an attacker gains access to an email inbox, typically with a phishing scam, they begin scanning the inbox for “high value threads” such as: B. Discussions with suppliers or other people in the company to collect information can trigger further attacks against employees or external parties.

Containing these attacks is complicated by the fact that detecting an attack is not always easy, especially when the internal security team has limited security resources.

“Most organizations that fall victim to BEC do not have internal resources to address incident response or digital forensics, so they typically require outside assistance,” said Joseph Carson, chief security scientist and consulting CISO Delinea .

“Victims sometimes choose not to report incidents when the amount is quite small, but those who fall for a larger financial scam that amounts to thousands or sometimes even millions of US dollars must report the incident in which Hope they can recoup some of the losses. ‘ Carson said.

The answer: permission access management

With the rise of BEC attacks, organizations are under increasing pressure to protect themselves, which in the age of remote work is often easier said than done.

As more employees use personal and mobile devices for work, which are outside the protection of traditional security tools, companies must be much more proactive in protecting data from unauthorized access by limiting the number of employees who have access to personal data.

“A strong Privileged Access Management (PAM) solution can help mitigate BEC risk by adding additional security controls to sensitive privileged accounts along with Multi-Factor Authentication (MFA) and continuous verification. It’s also important that cyber awareness training is a top priority and that identity verification techniques are always practiced to verify the source of requests,” Carson said.

Applying the principle of least privilege and enforcing it with privileged access management reduces the number of employees that cybercriminals can tamper with and makes it significantly more difficult for them to access sensitive information.