Global corporates are failing to recognise the full scale of the threat posed by business email compromise (BEC) – also known as CEO fraud or ‘whaling’ – according to new figures from cybersecurity specialists Trend Micro.
In a survey of more than 2,400 European and US decision-makers in the enterprise-IT arena, the organisation found that just 12% consider BEC a high-priority cyberthreat.
The top three forms of cybercrime thought to pose the greatest threats emerged as:
Trend Micro noted that just 12% of respondents considered BEC a large-scale danger, “indicating that businesses are underestimating the impact of these attacks”.
BEC stings typically take the form of bogus emails purporting to be from senior corporate figures, asking finance staffers to transfer large amounts of money to bank accounts that turn out to be owned by fraudsters.
As the research explained, scams of this nature “are proving to be incredibly lucrative, resulting in an average of $140,000 in losses for global companies in 2016”.
Interestingly, just days after Trend Micro published its research, further findings from fellow cybersecurity firm Proofpoint showed that, in the final quarter of 2016, BEC attacks jumped by 45% among firms in the US, UK, Canada, Germany, France and Australia.
In a statement, the firm said: “Companies of all sizes are prone to BEC attacks. [Our] data indicates no correlation between the size of the company and BEC attack volume.
“Larger companies make for attractive targets because they have more funds to draw on and greater organisational complexity to hide behind, even if they tend to have stricter financial controls. And while smaller companies may not yield the same returns, the relative absence of financial controls makes them more vulnerable.”
However, some sectors proved to be more BEC-prone than others.
“Manufacturing, retail and technology organisations are generally more targeted with BEC attacks,” Proofpoint stressed – adding that those types of companies are hit “repeatedly every month”, as cybercriminals “look to take advantage of more complex supply chains and Software-as-a-Service (SaaS) infrastructures, which often accompany these industries”.
Infiltration is also becoming more pervasive, Proofpoint warned: “While CEO impersonation continues in BEC attacks, cybercriminals are increasingly targeting victims deeper within organisations.
“There is a shift beyond simple fraudulent CEO-to-CFO BEC attacks to CEO-to-different employee groups. For example, to accounts payable for wire-transfer fraud attempts, to human resources for confidential tax information and identities – and engineering for intellectual property theft.”
These pieces of research have arrived amid an escalation of BEC’s media profile. In August last year, for example, Leoni AG – Europe’s largest maker of electrical cables – lost $44.6m in a single email fraud incident.
And, in a widely reported statement, published only days before Proofpoint released its findings, the US Department of Justice revealed that it had charged a Lithuanian man with carrying out BEC scams worth a total $100m on two, undisclosed internet giants.