With the bad guys looking for the fastest means to get from attack to a big payout, BEC tactics are shifting tactics to adjust to organizations being better prepared.

According to new data from security vendor GreatHorn, in their 2021 Business Email Compromise ReportBEC is not just alive and well, but is changing from the traditional focus of solely using malwareless social engineering tactics.

  • Spoofing – 71% of BEC attacks use a spoofed email account or website to establish credibility. This can be in the form of display name, a lookalike domain, or even a compromised account.
  • Spear Phishing – 69% of BEC attacks utilize spear phishing, likely to increase their chances of reaching the right persons within an organization who have influence over money. According to the report, Finance is targeted 57% of the time, with CEOs next (22%) and IT third (20%).
  • Malware – 24% of BEC attacks still leverage malware as part of the attack. This one is interesting because it denotes the cybercriminals intent of gaining internal access, likely to gain elevated privileges and access financial applications to perform discovery (e.g., get the details on a big payment coming in and then defraud the company paying by using a second BEC attack on their finance people).

At the end of the day, BEC is nothing more than a targeted phishing attack using very specific social engineering tactics to gain the trust of the recipient to get them to engage in some financial transaction. According to the report, 71% of orgs feel their users are prepared to identify a phishing email, and yet 43% of the very same orgs said they experienced a security incident in the last 12 months.

Sounds like an opportunity for some better continual Security Awareness Training to keep those folks in Finance, the C-Suite, and IT (as well as everyone else in the organization) up to date on the latest BEC tactics and scams.