Hackers Find BEC Attacks More Profitable than Ransomware

Hackers earned $5.3 billion between October 2013 and December 2016 from business email compromise (BEC), a social engineering attack that uses emails to trick victims into transferring money to attackers, Cisco noted in its 2017 Midyear Cybersecurity Report.

That number, from the Internet Crime Complaint Center (IC3), stands in sharp contrast to the approximately $1 billion stolen by ransomware in 2016. Ransomware may be grabbing the headlines, but it doesn’t appear to be having the most impact.

The Cisco report calls BEC “the most lucrative and profitable method to extract large amounts of money from a business. It’s a deceptively easy attack vector that relies on social engineering to trigger the theft.”

Fighting BEC fraud generally involves user education and improvements in business processes, not investments in technology. “Because BEC messages don’t contain malware or suspect links, they can usually bypass all but the most sophisticated threat defense tools,” the report states.

What’s more, Plixer CEO Michael Patterson told eSecurity Planet by email, because BEC attacks don’t compromise personal data, there’s no legal requirement for disclosure. “Organizations fear the outside-in perception of incompetence and the possible negative impact that perception may have on customers and revenue streams,” he said.

“It is likely that the reported $5.3 billion in losses is far less than the actual value,” Patterson added.

3,680 Per Week

It’s not hard to see how that could be the case. A recent GreatHorn study of more than 373 million corporate emails found that the average enterprise receives over 3,680 potential phishing emails per week.

Specifically, a Fortune 500 company can expect to be hit by 1,380 direct spoof attacks, 460 display name spoofs, 560 emails with “W2” or “wire transfer” included, 230 domain lookalikes, and 1,150 authentication risks on a weekly basis.

Each of those messages contains threat characteristics that require review, investigation and possible remediation. Without automated tools, GreatHorn estimates, that task would take a security team about 305 hours each week.

“Our research shows that it is impossible for security teams to detect, analyze and respond to every suspicious email their organization receives,” GreatHorn CEO Kevin O’Brien said in a statement.

“Without the ability to hire qualified cyber security expertise, automation must become a bigger part of the equation to help enterprises stay ahead of cybercriminals,” O’Brien added.

AI and Automation

In fact, a recent Radware survey of 200 executives in the U.S. and Europe found that 81 percent of respondents said they’ve already implemented increased reliance on automated solutions.

Fifty-seven percent of respondents trust automated systems as much as or more than humans to protect their organizations, and 38 percent said that within two years, automated security systems will be the primary resource for managing cyber security.

Balbix CEO Gaurav Banga told eSecurity Planet by email that AI and automation offer two key advantage in security: they’re very good at dealing with large vectors of data across hundreds of dimensions, and they provide the ability to understand and report the level of confidence in any conclusions reached in order to avoid false positives.

“Because of these two advantages, AI, when correctly implemented, can provide super-powers to cyber defenders, who now have the ability to come to the best conclusions given large amounts of fuzzy security data from their operating environment,” Banga added.

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Top Cybersecurity Companies

Related articles