Last week, the FBI released the 2019 Internet Crime Report and once again, business email compromise (BEC) topped the list of most financially damaging threat vectors. In 2019, BEC and email account compromise (EAC) complaints alone accounted for more than $1.7 billion in losses, increasing by 160% in just two years. The FBI estimates that BEC has cost individuals and businesses $26 billion worldwide over the last 5.5 years.
What does the current threat landscape look like?
“Criminals are getting so sophisticated. It is getting harder and harder for victims to spot the red flags and tell real from fake” says Donna Gregory, chief of the Internet Crime Complaint Center. Gregory is right—the number of attack types hasn’t risen significantly, but threat actors are becoming increasingly intelligent about how they deploy existing scams. When BEC attacks first made their way into inboxes seven years ago, attackers often posed as CEOs, CFOs, and other high-level executives who could approve wire transfers or access Personally Identifiable Information (PII) like W-2s. Over time, attackers expanded their targets, beginning to spoof vendor and legal advisor email accounts in order to access the information they sought. Seven years later, malicious actors are stepping their game up, creating customized attacks that target both entire departments and individual employees. Since 2018, attackers have been increasingly targeting HR departments, spoofing general employee accounts to get HR employees to divert direct deposits to other bank accounts or prepaid cards.
All in all, the IC3 Report underlines the fact that threat actors are investing significant time and energy in crafting their attacks. There has been a clear shift from generic executive impersonations towards sophisticated, personalized attacks targeting specific individuals and departments within organizations.
How can organizations reduce risk from phishing scams?
While it’s unrealistic to assume that any technology will catch 100% of these complex, sophisticated attacks, it is imperative for organizations to shift the way they view email security away from the binary, threat-blocking mindset towards an approach that views email security as a multifaceted risk management function. Businesses will need email security solutions that focus not only on threat detection before an attack, but also involve analysis of an email’s many risk factors and can reduce the risk to an organization in the event that an attack evades the first level of defense.
Organizations looking to reduce risk from phishing scams should:
- Lower user engagement with risky email not only via security awareness training, but also through clear, context-specific warnings when users interact with a potential threat.
- Enable remediation teams to search, identify, and remove those threats from the environment.
- Empower employees with in-the-moment tools and information to empower them to be a strong first line of defense—not victims of these attacks.
- Take on better methods of authentication for email and cloud-based tools to reduce the risk of credential theft and effectively prevent account takeover.
GreatHorn’s cloud-native, email security platform protects Microsoft Office 365 and Google G Suite customers from both malware threats and sophisticated social engineering attempts. In one Fortune 500 company, we identified more than 50,000 threats (business email compromise, credential theft, malicious links, malicious URLs, and more) that were missed by both a traditional secure email gateways and Microsoft ATP.