Business Email Compromise is a multi-billion dollar business, representing 43% of all cybercrime last year. Despite it being dwarfed in the news by ransomware, it represents a growing threat.

We’ve seen recent rises in BEC activity – along with a number of other cyberattacks – in both frequency and cost. But BEC tends to get lost in the shuffle; particularly when ransomware news has ransoms in the millions of dollars and seems to happen every day. But BEC is just as impactful a cyberattack and, from the latest data, seems to be happening quite frequently.

Keep in mind that most BEC attacks are limited in scope to the one and only CFO in your organization or a small group of individuals in the finance department. The good news is as the organization grows, the number of BEC attacks won’t necessarily increase. The bad news is that threat actors only need to focus on a few people to be successful.

In addition to enterprises having a high probability of attack, according to Abnormal Security’s Q3 2021 Email Threat Report, businesses of every size are at risk:

  • Small organizations under 500 employees have a 42% probability of receiving a BEC attack each week
  • Mid-sized organizations, a 60-70% chance

Part of this growth is the expansion in operational methods used by cybercriminal groups seen on the dark web. Posts on cybercrime forums have been spotted that attempt to recruit or outsource functions related to BEC scams – particularly those looking for native-English speakers to help improve the credibility and efficacy of social engineering elements in BEC attacks.

Because BEC relies pretty heavily on social engineering and spoofing companies, domains, and/or an individual, putting employees through Security Awareness Training is an effective way to minimize the threat surface of phishing attacks and stop BEC attacks before they have an opportunity to make an organization a victim.