In fact, in 2017 $1.4B in electronic fraud was reported to the FBI, an increase of almost 50% from 2013. 40% of this billion dollar loss was a result of “business email compromise”, a type of fraud that targets businesses that do wire transfers (last year both Google and Facebook fell prey to this scam and lost over $100M to a single scammer).
In light of this recent epidemic, the NewtonX Research Team decided to investigate the scope of business email compromise for enterprises, as well as tech-first solutions that companies are employing and developing. The Research vertical utilized NewtonX’s proprietary Q3 (qual-quant-qual) approach to gaining insights on the subject, and the data and insights in this article are informed by this investigation.
300,000 yearly incidents and 80% YoY incident growth: the outbreak that affected 96% of businesses
Last year, while fraud losses from corporate data breaches shrank 36% (as companies increasingly prioritized cybersecurity), business email compromise (BEC) grew 80% year over year, with over 300,000 incidents reported (and likely many more that were not reported). Typically, email compromises consist of a malicious agent submitting a fake invoice, often one that emulates a real company that the targeted company works with, to an accounting person. As evidenced by the high profile companies who have fallen prey to these scams, they are highly effective, and difficult for many victims to detect.
The industry with the highest incident rate is Financial Services, which accounted for nearly 20% of all reported cases (it’s worth noting, however, that financial services are more likely to report incidents than other industries). Government and healthcare also have high fraud rates due to billing and invoice fraud.
In total, 96% of businesses have been affected by a BEC at some point. The vast majority of impersonators (43%) claim to be CEOs, while the majority of victims are CFOs and finance/HR professionals. Simple training for spotting a BEC can be difficult, especially in large organizations, where simply turning to ask the CEO if a message is legit is not an option.
So what are all of these companies doing about it?
Beyond training: what tech companies are doing to fight BEC
In February of this year, Symantec launched Email Fraud Protection, an automated solution for protecting against BEC that targets employees, partners, and customers. Companies including Area 1 and Agari have also launched similar automated systems.
Prior to solutions such as this, most companies would either rely on training employees to spot tell-tale signs, or would manually enforce email authentication standards such as DomainKeys Identified Mail (DKIM) or Domain-based Message Authentication, Reporting & Conformance (DMARC), which prevents your businesses’ domain from being used in an attack. While effective, these methods can be time consuming and often require highly technical resources to ensure employees don’t get “false positives” that block non malicious emails. Because of this, many smaller companies either have very little email protection or end up funneling significant resources into cumbersome manual protection.
BEC attacks also tend to evolve quickly, making automated protection difficult. While there are some deception techniques, such as email address manipulation (adding or subtracting a single letter), that can easily be detected by a filtration system, there are others that are more difficult to detect. For instance, more sophisticated scammers can gain access to the actual email of the person they’re impersonating — making automated detection extremely difficult.
Additionally, where five years ago many BEC attacks included links, BEC protection software can now usually catch attacks with links — which has changed the game. Many scams are now deployed as plaintext asking the recipient to do a wire transfer.
With more than $12B in losses since 2013, companies and governments are becoming increasingly cautious of emails
BEC scams are responsible for over $12B in global loss since 2013. While many companies are responding to this with an increased reliance on fraud detection software, individual employees have also become more and more wary of emails asking for urgent wire transfers. The combination of these two factors is likely to curb the number of successful attacks over the next five years, until malicious agents come up with their next scheme.