Business email compromise (BEC) has been called the “sneaky cybercrime” that’s a “hacker gold rush” – while high-profile ransomware attacks dominate headlines, BEC is quietly costing organizations billions of dollars every year. It’s also the most common type of advanced email attack reported this year and the one that security leaders are most concerned about.
That’s according to Tessian’s State of Email Security Report, the first of an annual report that reveals and analyzes the latest trends with advanced email threats and data loss in today’s enterprises. The report explores the top cyberattacks targeting companies, the consequences for these attacks and how they’re slipping through the cracks.
We sat down with Josh Yavor, Chief Information Security Officer, Tessian to discuss the report's findings and BEC in more depth:
Why does BEC continue to be a security challenge for organizations?
BEC remains one of the greatest security challenges because of how successful social engineering attacks are. It’s a tried-and-tested method that is relatively low effort and high reward for cybercriminals. Attackers know that employees are human, and that mistakes happen, especially if tired or simply not paying close attention. We know from a previous study that employees are more likely to make mistakes when they are distracted or tired, which could have serious consequences. Employees might not be thinking critically about an email they receive that appears to come from an otherwise trusted client, when in reality it’s a cybercriminal impersonating the client.
What was most surprising about this research?
The findings around business email compromise (BEC) are staggering but not necessarily surprising - BEC consistently tops the charts as the most prevalent type of cybercrime that costs organizations the most money. Tessian found that business leaders are the most concerned about BEC, and they should be, especially given how consistently effective social engineering tactics remain. In 2022 alone we’ve seen many high-profile companies across multiple industries fall victim to social engineering attacks. Social engineering will be the leading root cause of major cyberattacks for the foreseeable future because it’s proven to work, is low cost, and when one path becomes more difficult - such as corporate email - attackers will shift to other communication methods.
That’s why it was surprising to see that while most organizations have a Secure Email Gateway (SEG) or native security features from a cloud provider in place, over six in 10 security leaders (62%) with a SEG said advanced email threats bypassed those defenses in 2022. Traditional email defenses no longer work reliably enough against the advanced social engineering techniques that bad actors deploy today.
How does the security threat increase during these macroeconomic changes and mass layoffs?
Macroeconomic changes and mass layoffs significantly increase security threats. Just as we saw with the global pandemic, general uncertainty can lead to fatigue, stress and distraction and cybercriminals are banking on people to make security mistakes.
Layoffs also present a challenge with insider threats and data exfiltration and ensuring that employees do not take company information with them. For example, an employee may intentionally send data or documents to their personal account and not even fully understand how it can impact the company’s security. Most security awareness training programs today focus on inbound threats, but fail to adequately address the handling of sensitive data internally. But data loss - whether accidental or intentional - is a major threat and should be treated as a top priority especially during layoffs.
How can organizations prepare and defend themselves against email-based threats?
CISOs and business leaders need to focus on how they can defend and protect employees both within and, critically, beyond the walls of corporate systems. On the corporate side, security teams should focus on preventing as many malicious emails from reaching inboxes as possible, but anticipating that some will get through. For those that do, they should ensure resilience by empowering employees with tools to help them avoid being tricked and by de-risking the impact of employees engaging with phishing emails by responding, opening files, or clicking links. Beyond the corporate boundaries, attackers are increasingly targeting employees in social engineering scams that originate on their personal networks – through LinkedIn, text messages or their personal email account – with the ultimate goal of compromising the workplace. For example, if an employee’s laptop is compromised, the attacker can often gain access to the personal email of the employee to then attempt to social engineer their employer’s IT team into giving them access. Attackers don’t respect work-life boundaries, so we need to continue investing in security programs that support and enable our employees in their personal lives while still maintaining the right balance and boundaries. Employees who are encouraged and empowered to get help from their security team at work for security risks in their personal lives will ultimately be more resilient to attacks that span the work/life boundaries.