Blog courtesy of KnowBe4
Written by Stu Sjouwerman
Business Email Compromise is a multi-billion dollar business, representing 43% of all cybercrime last year. Despite it being dwarfed in the news by ransomware, it represents a growing and consistent threat.
We’ve seen recent rises in BEC activity – along with a number of other cyberattacks – in both frequency and cost. But BEC tends to get lost in the shuffle; particularly when ransomware news has ransoms in the millions of dollars and seems to happen every day. But BEC is just as impactful a cyberattack and, from the latest data, seems to be happening quite frequently.
Keep in mind that most BEC attacks are limited in scope to the one and only CFO in your organisation or a small group of individuals in the finance department. The good news is as the organisation grows, the number of BEC attacks won’t necessarily increase. The bad news is that threat actors only need to focus on a few people to be successful.
In addition to enterprises having a high probability of attack, according to Abnormal Security’s Q3 2021 Email Threat Report, businesses of every size are at risk:
- Small organisations under 500 employees have a 42% probability of receiving a BEC attack each week
- Mid-sized organisations, a 60-70% chance
Part of this growth is the expansion in operational methods used by cybercriminal groups seen on the dark web. Posts on cybercrime forums have been spotted that attempt to recruit or outsource functions related to BEC scams – particularly those looking for native-English speakers to help improve the credibility and efficacy of social engineering elements in BEC attacks.
Because BEC relies pretty heavily on social engineering and spoofing companies, domains, and/or an individual, putting employees through Security Awareness Training is an effective way to minimise the threat surface of phishing attacks and stop BEC attacks before they have an opportunity to make an organisation a victim.
Can hackers spoof an email address of your own domain?
Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.
Now they can launch a "CEO fraud" spear phishing attack on your organisation, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.
Find out now if your domain can be spoofed. The Domain Spoof Test (DST) is a one-time free service. Run this test so you can address any mail server configuration issues that are found.