Business email compromise (BEC) scams, phishing campaigns, and other targeted email attacks happen all over the world, but they don’t take the same form in every region.
To better understand the threat landscape for organisations in Europe, the Agari Cyber Intelligence Division (ACID) surveyed 305 senior European IT security professionals from a range of industries attending Infosecurity Europe this past June. The findings are captured in the new 2019 Email Threat Survey Report: Europe Under Siege.
Among our many learnings -- while threats such as BEC are a problem everywhere, fraudsters' preferred pay-out methods differ significantly between Europe and North America. More concerning, survey respondents appear to have unrealistically high levels of confidence in their current email security measures—despite clear evidence that those measures are routinely failing to stop today's most advanced email scams.
A Region Beset by BEC Scams
The cost and scale of this issue may be more far-reaching than previously understood. Respondents In our survey paint the picture of a region plagued by BEC attacks, phishing-based credential harvesting scams, malicious payload campaigns and email-based extortion.
Their responses align with a growing body of evidence that things are going from bad to worse. In early November Europol's European Cybercrime Centre (EC3) reported that advanced email attacks are now the primary attack vector for cybercriminals targeting EU companies.
But as Interpol's new #BECareful campaign points out, the rise of more sophisticated, "frictionless" email attacks are the greatest cause for alarm. Often employing socially-engineered, plain-text messages, these malicious emails easily bypass most corporate email security systems undetected. According to our survey, 87% of European businesses were targeted by such sophisticated, low-tech email scams during the 12-month period ending in June.
Cloak Meets Dagger: Identity Deception Tactics
Survey responses also capture a snapshot of prevailing email spoofing techniques used by cybercriminals targeting organisations in this region.
Forty-six percent of the senior IT professionals report that phishing attacks they dealt with during the preceding 12 months included domain spoofing, which involves the use of an actual email address belonging to the impersonated identity in the "From" header.
This is in part driven by the fact that the region lags in implementing Domain Message Authentication, Reporting and Conformance (DMARC), the email authentication protocol that prevents unauthorised users from sending email from companies’ domains.
Perhaps more troubling, however, 53% percent of respondents suffered email attacks involving display name deception, an attack modality that entails impersonating a trusted individual or brand. Meanwhile, forty-one percent encountered email scams that used lookalike, or close cousin, domains to deceive recipients.
Key Differences in Pay-out Methods
According to a number of industry reports, gift cards now represent the primary pay-out method for BEC attacks on companies in the US. By contrast, nearly half (48%) of our European survey respondents say the traditional banking system is the payout channel of choice for email scammers targeting their organisations.
An "urgent" email request from someone who appears to be a trusted contact is often all it takes to manipulate a recipient into making a banking transfer to a fraudster's account before recognizing they've been played.
Respondents report pay-out amounts sought in these scams fall into two categories: high-volume campaigns designed to steal a thousand pounds or less, and low-volume, highly targeted attacks intended to score £1 million or more.
While most attacks fall into the first category, the latter can be outrageously lucrative for the perpetrators. One recent BEC scam against a European subsidiary of automotive giant Toyota, for instance, resulted in $37 million in losses.
Then there are the other costs associated with successful email attacks. Phishing schemes that result in data theft cost UK-based organisations an average £3.18 million per incident. And that's before any regulatory consequences. The Marriott-Starwood data breach, which investigators believe started with a phishing campaign, resulted in a $123 million fine under GDPR's sweeping privacy protection rules, for instance.
Nation-state Email Attacks Expected to Soar
In addition to the significant financial and reputational damage associated with advanced email threats, European survey respondents fear email attacks from foreign operatives will emerge as a major threat to their organisations over the next five years.
In July, Microsoft notified 10,000 email users that their accounts were targeted or compromised in attacks sponsored by Iran, Russia and North Korea. And in October, the UK’s National Cyber Security Centre reported that together with China, these same countries rank among the nation-states most actively targeting organisations in the UK—particularly those in government, higher education and the tech industry.
While not necessarily focused on stealing money, these attacks can be far more costly than a few thousand, or even a few million, pounds. According to a study from Lloyd's of London, a single state-sponsored cyberattack initiated through email could disrupt international business operations, utilities, transportation systems, banking networks and more—leading to as much as $193 billion in economic damage worldwide.
Misplaced Confidence in Existing Controls
Our survey delivered one surprising, and utterly confounding, insight. Despite rising BEC attack rates, mounting financial losses, and growing concerns over the risks posed by nation-states, 82% of senior European IT security professionals describe themselves as either "quite confident" or "very confident" in the email security controls they currently have in place.
Unfortunately, secure email gateways (SEGs) and the security controls built into cloud-based email platforms are no match for the kind of BEC scams and phishing campaigns that so easily evade defences. That's because no matter how good gateway or perimeter controls may be, they're simply not designed to detect attacks that spoof trusted senders and domains, carry no malicious payloads, and exploit recipients' trust.
Learn more about the European BEC threat landscape and what security professionals in the region think is coming next. Download the 2019 Email Threat Survey Report: Europe Under Siege.