35% of All Security Incidents are Business Email Compromise Phishing Attacks

35% Security Incidents are BEC Phishing AttacksWith the bad guys looking for the fastest means to get from attack to a big payout, BEC tactics are shifting tactics to adjust to organizations being better prepared.

According to new data from security vendor GreatHorn, in their 2021 Business Email Compromise Report, BEC is not just alive and well, but is changing from the traditional focus of solely using malwareless social engineering tactics.

  • Spoofing – 71% of BEC attacks use a spoofed email account or website to establish credibility. This can be in the form of display name, a lookalike domain, or even a compromised account.
  • Spear Phishing – 69% of BEC attacks utilize spear phishing, likely to increase their chances of reaching the right persons within an organization who have influence over money. According to the report, Finance is targeted 57% of the time, with CEOs next (22%) and IT third (20%).
  • Malware – 24% of BEC attacks still leverage malware as part of the attack. This one is interesting because it denotes the cybercriminals intent of gaining internal access, likely to gain elevated privileges and access financial applications to perform discovery (e.g., get the details on a big payment coming in and then defraud the company paying by using a second BEC attack on their finance people).

At the end of the day, BEC is nothing more than a targeted phishing attack using very specific social engineering tactics to gain the trust of the recipient to get them to engage in some financial transaction. According to the report, 71% of orgs feel their users are prepared to identify a phishing email, and yet 43% of the very same orgs said they experienced a security incident in the last 12 months.

Sounds like an opportunity for some better continual Security Awareness Training to keep those folks in Finance, the C-Suite, and IT (as well as everyone else in the organization) up to date on the latest BEC tactics and scams.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews