Analysis: Social Engineering Drives BEC Losses to $50B Globally

Business email compromise (BEC) continues to evolve on the back of sophisticated targeting and social engineering, costing business worldwide more than $50 billion in the last 10 years — a figure that reflected a growth in business losses to BEC of 17% year-over-year in 2022, according to the FBI.

The agency's Internet Crime Complaint Center (IC3) 2022 report on BEC found that US business have lost more than $17 billion to these types of scams between October 2013 and December 2022, with global businesses counting losses of nearly $51 billion for the same period, according reports that the IC3 receives from organizations.

The number of organizations that have reported falling victim to BEC in the US alone over these years is 137, 601 across all 50 states — a number that's likely higher as it represents only the incidents that have been reported to the FBI, security professionals say. This means the total losses attributed to BEC for companies not just in the US but also globally is probably a lot higher than reported numbers as well, they say.

Despite organizations' overall increased awareness of and defense against BEC — which has been an attack vector for more than a decade — it continues to represent a thriving cybercriminal activity.

Security professionals attribute BEC's continued dominance in the cyber threat landscape to a number of reasons. A key one is that attackers have become increasingly savvy in how to socially-engineer messages so that they appear authentic to users, which is the key to being successful at this scam, Oren Falkowitz, field chief security officer for Cloudflare, tells Dark Reading.

"Successful BEC is not about being clever, it is about authenticity and achieving legitimacy in the eyes of the victim," Falkowitz says in an email. "Part of seeming legitimate is following physical events and trends in the news closely — which end up being leveraged and having resonance in cyberspace."

One example of this is the IC3's call-out of an uptick in attacks on the real estate sector, which reported a loss of $446.1 million to BEC in 2022. While this represented only a slight increase over a reported loss of $430.5 million from that sector in 2021, that figure showed nearly a doubling of BEC losses in real estate from 2020, during which real-estate organizations reported a loss of $258.4 million, according to the IC3.

This surge in BEC attacks on real estate appears to be continuing due to struggles in that sector, of which threat actors have noted and are taking advantage, Falkowitz says. "BEC having a nexus to the real estate sector in this year's report could be traced back to the commercial real estate crunch and the repurposing of cities," he says.

Silent, But Deadly

BEC is a type of attack in which threat actors use deception and impersonation to compromise legitimate business or personal email accounts to conduct an unauthorized transfer of funds or otherwise defraud a victim by obtaining access to personally identifiable information (PII) related to financial accounts.

Due to its inherent nature, BEC is well known for causing major financial loss not only for companies but also individuals. However, the rise in notoriety of ransomware over the past couple of years has allowed BEC attackers to fly somewhat under the radar while significantly boosting their impact, another contributing factor to its rise, notes one security expert.

"While ransomware has been grabbing the headlines over the past two years, BEC has quietly said 'hold my beer,' while surpassing itself as the most prolific and costliest form of cybercrime," Mika Aalto, co-founder and CEO at enterprise security awareness firm Hoxhunt, says.

He cited the Verizon DBIR reported released last week, which found that the cost and incidence of BEC doubled over 2022. In fact, the security industry's focus on ransomware may have actually contributed to BEC's rise during this time, as law enforcement have pursued ransomware gangs, imposing sanctions and leading to tightened cyber-insurance policies, while "BEC remains low-risk and highly profitable," Aalto says.

The rise of social engineering in general as a successful tactic by cybercriminals also is adding to the insidious and robust nature of BEC, security professionals say. In fact, another notable finding of Verizon DBIR report is that phishing and "pretexting," — i.e., impersonation of the sort commonly used in BEC attacks — dominated social-engineering scene last year. In 2022, pretexting gambits — which add to the perceived legitimacy of BEC attacks — nearly doubled since the year before and now represent 50% of all social engineering attacks, the report found.

"Social engineering is all about trust, and by gaining access to someone's account — usually someone in a position of authority — and masquerading as that person, the attacker lowers the barrier of trust immensely as they manipulate victims into ill-advised activities," Aalto notes.

How the Enterprise Can Respond

The continued success of BEC means these attacks are here to stay, which means organizations will be forced to respond with even stronger security measures, security experts say.

"The problem isn't going away," concurs Avkash Kathiriya, senior vice president of research and innovation at threat intelligence management firm Cyware. "While enterprises have made significant progress, they are still vulnerable to social engineering, while smaller businesses and individuals are being targeted by increasingly sophisticated scams."

Due to the key success factor of these scams — exploitation of the human element and weak points in an organization's security infrastructure — it is "particularly challenging to defend against using traditional security measures alone," observes Igor Volovich, vice president of compliance strategy at compliance firm Qmulos.

For this reason, he advises that organizations move towards continuous monitoring and assessment of their internal security controls in real time, which will allow them to "promptly detect control anomalies or failures that can lead to successful BEC incidents," he says.

"This approach provides organizations with the agility to respond swiftly to emerging threats, reducing the window of opportunity for scammers to exploit vulnerabilities, converging the timelines between security, compliance, and risk management to deliver a unified, real-time picture of enterprise risk posture," Volovich says.

Generative AI — which BEC attackers are increasingly using in the form of ChatGPT and other technologies to help them craft socially engineered messages — could also be leveraged by organizations to defend against attacks, says Patrick Harr, CEO at anti-phishing firm SlashNext.

"IT security pros need to implement AI capabilities which combine natural language processing, computer vision, and machine learning with relationship graphs and deep contextualization to thwart sophisticated multi-channel messaging attacks," he says.

Organizations should also strengthen workforce education efforts to help employees identify malicious campaigns and messages — which typically employ fake social media profiles, blogs, email accounts, and the like to establish trust and rapport — leveraged by BEC attackers, Harr adds.

Indeed, as BEC attacks commonly originate from phishing campaigns or social engineering methods, "it's paramount that organizations foster a robust cyber awareness training culture," concurs Jay Gohil, risk manager at Cowbell, a provider of AI-powered cyber insurance.