Business email compromise (BEC), a sophisticated form of phishing that involves attackers manipulating individuals into unwittingly facilitating fraudulent activities, is considered one of the most financially damaging cyber threats.
Compared to other cyber threats such as ransomware attacks, zero-day vulnerability exploits, and cloud service provider outages, business email compromise is akin to a “sleeper threat” in that it does not dominate news headlines. However, BEC is considered one of the most financially damaging cyber threats by the Federal Bureau of Investigation.
BEC is a form of phishing where attackers impersonate legitimate entities or individuals to deceive employees.
They aim to transfer funds, access sensitive information, or compromise organizational security. This method exploits human vulnerabilities, not technical flaws, making it hard for traditional security measures to detect and mitigate the risk.
According to Guy Carpenter’s Cyber’s Sleeper Threat Report, a common and damaging type of BEC is wire fraud. In this scenario, cybercriminals use social engineering to trick employees into initiating unauthorized wire transfers, causing significant financial losses for the organization.
As BEC attacks become more frequent and sophisticated, businesses need to understand this threat to implement strong defenses and protect their assets, reputation, and operations. This report provides an overview of the BEC threat and examines whether it affects specific sectors of the economy or has a broader impact.
BEC Threat Landscape
BEC attacks differ from traditional cyber threats by exploiting human trust rather than technical vulnerabilities. Cyberattacks involve cybercriminals impersonating trusted figures like company executives, vendors, or business partners to deceive employees. The goal is to trick them into revealing sensitive information, authorizing fraudulent transactions, or compromising corporate networks.
The FBI’s Internet Crime Complaint Center (IC3) reports that BEC attacks cause annual economic losses exceeding billions of dollars.
From October 2013 to December 2022, the following statistics were recorded:
- Total US victims: 137,601
- Total US exposed dollar loss: $17.3 bn
In 2023, IC3 received over 21,000 BEC-related complaints, marking a significant increase from previous years.
BEC wire fraud can lead to severe financial losses, reputational damage, and operational disruption for organizations (see Global Cyber Insurance Market Forecast). Businesses must understand this threat landscape to protect their financial assets and mitigate BEC risks.
Impersonation Tactics and Psychological Manipulation
BEC wire fraud hinges on impersonation tactics and psychological manipulation. Cybercriminals use social engineering techniques to craft emails that impersonate trusted individuals within an organization, such as senior executives or business partners.
These messages create a sense of urgency, authority, or familiarity, compelling employees to comply with fraudulent requests without hesitation.
By exploiting insider knowledge gleaned from reconnaissance efforts and monitoring email communications, cybercriminals tailor their messages to align with established communication patterns and organizational hierarchies, thereby lowering the recipient’s guard and increasing the likelihood of successful exploitation (see how Generative AI Impacts on Cyber Threat).
Fraudulent Wire Transfer Requests
Once trust has been established and employees are primed for compliance, cybercriminals proceed to orchestrate fraudulent wire transfer requests designed to divert funds into accounts controlled by the attackers.
These requests often involve convincing pretexts, such as urgent payment for purported business expenses, invoice payments to fictitious suppliers, or instructions to update banking information due to purported security concerns.
By exploiting common business processes and workflows, attackers can seamlessly blend their fraudulent requests into legitimate communications, making detection and interception challenging for unsuspecting employees and financial institutions alike.
BEC Incidents Each Year
Evolving Tactics and Techniques
The landscape of BEC wire fraud constantly changes. Cybercriminals refine their tactics to evade detection and exploit new vulnerabilities.
They use various tools and methods to achieve their objectives:
- Email spoofing: Cybercriminals forge the sender’s email address to make it appear as if the message comes from a trusted source within the recipient’s organization. They use spoofing tools to manipulate email headers and disguise their identities. This tactic helps them bypass email authentication and traditional security filters, increasing the chances of their fraudulent messages reaching the target.
- Domain impersonation: Attackers create fraudulent email domains or compromise legitimate ones to lend credibility to BEC schemes. They register domain names that closely resemble those of legitimate organizations or use subdomains of compromised domains to mimic trusted entities. This exploitation of familiar domain names deceives employees into believing the fraudulent communications are legitimate.
- Malware-enabled attacks: These sophisticated attacks involve using malicious software to compromise email accounts, steal sensitive information, or facilitate fraudulent transactions. Attackers may distribute malware-laden email attachments or exploit software vulnerabilities to gain unauthorized access to corporate networks.
BEC attacks present a significant challenge for organizations as they balance open communication and protection against malicious actors.
The consequences of a successful BEC attack include financial losses, regulatory penalties, and irreparable damage to an organization’s reputation and customer trust.
Financial Impact of BEC
BEC is not a new threat vector. That said, like many cyberattack vectors, it is one gaining in popularity due to its relatively low technical lift, making it highly effective and lucrative from the threat actors’ perspective.
Percent of Companies in Revenue Group with BEC Event
It is also important to note that the 2023 BEC incident count is not yet fully developed, therefore the 2023 number could end at a higher level than displayed above. The data clearly shows that successful BEC attacks are trending upward.
Which Businesses Are Most at Risk?
BEC is a threat vector that can potentially affect any company, regardless of industry or revenue. That said, there are some trends to be gleaned in the firmographics of companies most often affected by BEC events. Examining the successful BEC events from 2019 onward, we can first break down the prevalence of events by revenue.
Percent of Companies in Industry Group with BEC Event
The figure shows the percentage of companies in each revenue bin each year that were affected by at least one BEC event, averaged across the 5 years of historical data.
Severity of Business Email Compromise Events
The initial loss from a BEC event can be quite severe. To better comprehend the magnitude of financial impact a company could face as a result of BEC, we first normalize the initial loss by the revenue of the company, and then bin the number of events from our data event set by the normalized initial loss.
Distribution of Initial Loss Severity
Initial losses range from 0.001% to 100% of company revenue. Most events involve a loss around 0.1% of revenue. For a company with billions in revenue, this 0.1% loss can be substantial.
Data indicates some BEC events result in losses equal to a company’s total revenue. It’s important to examine if there’s a correlation between initial loss percentage and the affected company’s revenue.
A loss of 100% on $500,000 is significantly less than 100% on $500 mn. The figure below illustrates the initial loss percentage against the organization’s revenue.
Initial Loss versus Revenue
Distribution of Amount Recovered
When a BEC attack occurs, it’s crucial to act quickly. By reaching out to banks and law enforcement, it is possible to recover some or all of the lost funds.
Recovery amount is 90-100% of the initial loss in half the cases when funds are recovered. However, less than 25% of the events had any funds recovered.
Preventing Business Email Compromise Events
The historical claims evidence shows BEC events can affect companies of any size or industry, and can potentially have devastating financial impacts. However, companies have multiple options to decrease the likelihood of experiencing a BEC event.
A successful BEC event hinges on the threat actor persuading an employee to transfer money to a fraudulent account, despite the employee’s better judgment.
The attacker sends an email from either a look-alike address or a compromised account of a vendor or higher-up.
The goal is to convince the recipient to transfer funds. There are three main strategies to prevent a successful BEC attack:
- Prevent threat actors from accessing organization email accounts.
- Stop fraudulent emails from reaching employees.
- Train employees to identify fraudulent emails to avoid engaging with the threat actor.
To explore tactics for preventing BEC events and the specific controls to implement, we can use the Marsh Cyber Self-Assessment alongside Marsh claims data. The Marsh Cyber Self-Assessment (CSA) is a questionnaire filled out by Marsh clients to assess their cyber posture. It covers a broad range of cybersecurity topics, including multifactor authentication (MFA), cybersecurity training, and data protection.
Top 4 controls from the CSA by signal strength
Tactic | Control | Signal Strength |
Prevent threat actors from gaining access | Our organization uses an authenticator application as a secondary method for MFA. | 2.85 |
Helping employees identify fraudulent emails | Our cybersecurity awareness program materials train users to avoid common cyber-risks and threats, such as social engineering and phishing. | 2.45 |
Prevent malicious emails from reaching employees | The endpoint security tool(s) are configured to block (as opposed to solely notify of) suspected malicious processes and files. | 2.36 |
Prevent threat actors from gaining access | Our organization’s technical controls detect known compromised/breached passwords on the dark web or other sources and enforce a password reset. | 2.29 |
Any CSA with a signal strength greater than 1 has a positive correlation between companies having implemented the control in question and a lower frequency of BEC events.
Business Email Compromise may not always capture sensational headlines like ransomware attacks or cloud outages, but it undeniably poses a significant cyber threat to companies worldwide.
Its insidious nature lies in its ability to exploit human vulnerabilities, leveraging social engineering tactics to deceive employees and manipulate financial transactions. Unlike some cyber threats that target specific vulnerabilities or systems, BEC’s impact is wide-ranging, affecting companies of all sizes and across all major industry sectors.
………………………
AUTHORS: Jess Fung – North America Cyber Analytics Lead, Head of Analytics Sales – North America at Guy Carpenter, Shu Iida – Senior Vice President, Cyber CAT Analytics at Guy Carpenter, Carol Aplin – Senior Vice President, Principal Cyber Modeler, Marsh McLennan Cyber Risk Analytics Center of Excellence