- 70% of organizations surveyed in the 2024 Arctic Wolf Trends Report reported that they were the targets of an attempted business email compromise (BEC) attack within the last 12 months
- 25% of Arctic Wolf® Incident Response engagements in the first quarter of 2024 were BEC engagements
- Finance was the most impacted industry followed by the construction industry
- Only 25% of BEC engagements in the first quarter of 2024 did not have multi-factor authentication (MFA), compared to 58% in 2023
Cybersecurity moves fast, and the latest threats to reach organizations worldwide are being built on the back of artificial intelligence (AI) models that spit out accurate code, realistic messages, and lifelike audio and video designed to fool people. But as headline-grabbing as AI-based attacks appear to be, they aren’t driving the most breaches globally. That would be BEC attacks, in which attackers leverage stolen access to a business email account to create a scam that results in financial gain.
BEC attacks emerged this past year as a top attack method, with 70% of organizations surveyed in the 2024 Arctic Wolf Trends report stating that they were the targets of an attempted BEC attack within the 12 months. What’s more, a significant number of these attacks landed, as 25% of Arctic Wolf Incident Response engagements in the first quarter of 2024 were BEC engagements. Of these, finance was the most impacted industry, followed closely by the construction industry.
On the bright side, these heavily impacted industries appear to be taking identity access management (IAM) tools like MFA to heart. Arctic Wolf found that only 25% of BEC engagements in the first quarter of 2024 did not have MFA, compared to 58% in 2023, suggesting the overall security posture of these organizations is improving. But actually enforcing identity management measures, rather than purchasing and then “setting-and-forgetting” them, is still an essential step that could be liable for the other 75% of all BEC engagements, where MFA was adopted by the impacted organization, but enforcement and enablement protocols varied.
There are several likely reasons why MFA attacks are still occurring. Some threat actors use “phishing kits” that essentially spoof a legitimate login page, fooling their target into entering their credentials. Those credentials are forwarded to the actual login page, triggering an MFA prompt that the phishing site forwards to the victim, who fills that out as well –– granting the threat actor access to their targeted service. One example of these kits is EvilProxy, which researchers have found advertised on the dark web. There are other techniques to work around MFA as well, such as MFA fatigue attacks, in which attackers send a flood of login attempts in the hope that a user will click “accept” at least once.
Thankfully, security leaders and vendors can engineer solutions that are more resistant to these types of attacks. Using techniques like app-based authenticators with time-based one-time passwords (TOTP) to gain access provide greater resiliency against MFA-based attacks, but no matter the process, security leaders need to ensure that their users aren’t simply opting out of an MFA protocol when it’s offered to them.
These attacks aren’t only widespread, they’re devastating, both financially and resource-wise, for the victims. According to IBM’s 2023 Cost of a Data Breach Report, BEC scams are the third-most expensive type of breach, costing an average of $4.67 million USD across four activities: detection and escalation, post-breach response, lost business, and notification. There are several different types of BEC scams, including attackers impersonating an attorney, a company executive, or a known vendor or supplier. Attackers may also attempt to engage in product theft or data theft and may have the strategic goal of compromising a legitimate email account at an organization to further their scheme.
BEC Threat Spotlight
Recently, Arctic Wolf identified a BEC-based phishing campaign targeting Canadian construction companies, in which attackers leveraged a compromised email account to share a PDF document which contained a link to a phishing site displaying a spoofed Microsoft 365 login page, intending to compromise other companies. While the tactics employed in this campaign are not new, they are still effective at deceiving victims, especially in the construction industry. Construction was the second-most impacted industry by BEC attacks in 2023 and so far in 2024, according to engagements worked by Arctic Wolf Incident Response.
No matter the size of the business, whether it’s a single-person contractor or a large manufacturing company, these types of organizations typically leverage email tools to process their invoices and conduct business. That expands the attack surface for threat actors to launch BEC attacks with, making them easier and more effective.
Why Do Threat Actors Turn To BEC?
One reason for the prevalence of BEC campaigns is that they are fairly easy for threat actors to distribute. The most common root cause of these incidents stems from sophisticated phishing campaigns, which have been made even more successful with AI. Many organizations have also moved to cloud-based email services like Office365, which makes these hyper realistic phishing campaigns tricky to detect. This is why it’s critical for organizations to employ BEC-specific detection tools or services when they’re adopting cloud-based messaging platforms.
Another explanation for the rise of BEC-based attacks is law enforcement’s disruption of prominent ransomware groups. When these groups are broken up, the number of ransomware attacks tend to decrease, at least temporarily, leaving BEC-based attacks to take up a larger percentage of attacks overall. For example, when an international law-enforcement task force took down the Lockbit ransomware gang on February 19, 2024, the number of ransomware incidents decreased, shifting the prevailing attack method to BEC. This kind of ebb-and-flow in attack techniques will continue to happen as long as ransomware groups are being broken up or have to go into hiding to evade arrest.
Unfortunately, even if an organization has deployed the best security tools available, the largest risk factor in all organizations is still the human element. With BEC attacks launched daily, an organization’s security posture is only as strong as their least –security-aware employee, who could slip up and grant credentials to an especially clever attacker.
Defending Against BEC Attacks
1. Reducing human risk is key, because security starts and ends with users, not tools. Engaging employees with security awareness training that’s easy to digest will help them retain the security knowledge they need. Employees have to be able to absorb up-to-date security awareness training tips without burning out –– or zoning out –– from hours-long lessons. Security awareness training is a crucial piece of the puzzle for organizations looking to build a resilient cybersecurity posture, but it’s not the entire solution. It takes more than a single tool or single focus to stop BEC attacks, especially in today’s evolving threat landscape.
2. Security-aware organizations should ensure they’re well protected by enforcing robust identity controls, including MFA and password-less authentication techniques. Leaders should work with their vendor partners to ensure that these measures are being enforced, not just purchased and enabled. BEC attacks require access for them to be carried out successfully, and security measures that make it difficult for attackers to gain access remotely –– like biometric security measures or requiring a second device to gain access –– can successfully mitigate these attacks.
3. Strong IAM techniques will also go a long way in mitigating the effectiveness of BEC campaigns. BEC attacks often evade traditional cybersecurity tools, and to detect these attacks, organizations need monitoring software that can ingest and analyze data while integrating into an email service, such as understanding that somebody trying to log in from locations all around the world is probably not a real person. Even if these attacks are successfully initiated, strong IAM principles will assist in limiting the scope of the attacker’s purview within the environment.
