Business email compromise attacks are tiny in volume, large in damage

Business email compromise attacks are a tiny percentage of all spear-phishing attacks, and target a very small number of users, but are estimated to have causes $26 billion in losses over the last four years.

Today, security vendor Barracuda is releasing the third installment of a set of reports around the four main type of spear-phishing attacks. This one is focused on business email compromise, with the others being: brand impersonation;  scamming for personally identifiable information; and blackmail, which is typically around what is known as sextortion attacks. All the reports are based on an analysis by Barracuda of 1.5 million spear-phishing emails.

Business email compromise makes up only 7% of all spear-phishing attacks, but the FBI says it has  caused more than $26 billion in losses in the last four years. The crooks typically impersonate an employee in the organization, or else a partner or a vendor, and typically request either a wire transfer or personally identifiable information from people in a position to provide them. They are hard to detect because they rarely include a URL or malicious attachment.

“Our top line finding is that attackers are really taking the time to research their targets,” said Asaf Cidon, Professor of Electrical Engineering and Computer Science at Columbia University and a Barracuda Adviser. Cidon was formerly SVP of Email Protection at Barracuda before taking the Columbia position, and still works closely with them on different projects and with their customer advisory council.

“91% of these attacks take place on weekdays, and during business hours,” Cidon noted. “They don’t send them on holidays.” Less than 10% come on weekends, and the number sent on Fourth of July weekend was 94% below average.

“They attack a small number of employees, with most being under six employees, because more broadly shared emails are more likely to be shared and blocked,” Cidon added. Sending a small number of emails also makes it easier to monitor responses. 94.5% of all these attacks target less than 25 people.

Cidon also noted that business email compromise attacks share many similarities with legitimate email marketing.

“They use email marketing 101 tactics,” he said. “They focus, rather than go broad. They use short, snappy messages with a clear call to action. They convey a sense of urgency. These are all techniques of legitimate marketers.” The study noted that 85% of all these compromise attacks are urgent requests designed to get a fast response. 59% ask for help, and 26% ask about availability.

Payroll and direct-deposit scams, which target HR, finance and payroll departments, pretending to be an employee and asking for their pay to be deposited into a fraudulent account are increasing in frequency. Between January 2018 and June 2019, the average dollar loss reported in these complaints was $7,904, an increase of more than 815% from the previous 18 months.

Business email compromise attacks have high click-thru rates. One in 10 spear-phishing emails successfully tricks  a user into clicking. That number triples if the attack impersonates someone within the organization. Cidon said that this specific information can come from bought lists, from information available on LinkedIn, or in some cases, from the attacker taking the time to infiltrate the company and get into Active Directory.

“The click-thru rate doesn’t mean that compromise took place,” Cidon said. Still, In the past 12 months, the average amount lost per organization due to spear-phishing attacks was $270,000

“These attacks are really affecting a large percentage of organizations,” Cidon stated. “It’s important to note that it’s not just happening to state level agencies or banks. It does affect everything.”

Cidon stressed that much traditional email security was not designed to combat this particular threat.

“A lot of email security systems were built in the age of spam, where the key was volume – identifying the same email over and over,” he said. “So it used  blacklisting and domain reputation and looking for phases. All that is of no value here. Instead of volume, you have a small number of emails. The attacker will  open a Gmail account and send a dozen emails and shut it down. We developed our Sentinel spearphishing solution because the reputation-based systems didn’t work on this. You cant just block all Gmails.” Gmail is – by far – the most common domain for these attacks.

Cidon described anti-spearphishing products as an automated, intelligent way of producing a set of rules which are much more robust.

“It identifies things like a financial call to action inside the email, and works against emails that have never been seen before,” he said.

Cidon also emphasized that best practices implement spearphishing defense products as part of a total defense strategy.

“There are additional layers they should have, like an email security spam filter, an intelligent layer to look for social engineering attacks, and what we call protection against the human factor,” he said. “That’s securing awareness training against these methods, what’s called the human firewall. Customers also need to make sure links and emails are blocked off on the networks. A strong password manager with multi-factor authentication is also important. There are also capabilities like DMARC [Domain-based Message Authentication, Reporting and Conformance], an email authentication protocol. It will stop attackers from spoofing a domain, although they can still spoof a name.

“No single system is a silver bullet,” Cidon emphasized.