Email Security Blog

BEC Attacks on the Rise in Europe: 2019 Email Threat Survey

Suela Vahdat November 19, 2019 BEC, Email Security

Business email compromise (BEC) scams, phishing campaigns, and other targeted email attacks happen all over the world, but they don’t take the same form in every region.

To better understand the threat landscape for organisations in Europe, the Agari Cyber Intelligence Division (ACID) surveyed 305 senior European IT security professionals from a range of industries attending Infosecurity Europe this past June. The findings are captured in the new 2019 Email Threat Survey Report: Europe Under Siege.

Among our many learnings — while threats such as BEC are a problem everywhere, fraudsters’ preferred pay-out methods differ significantly between Europe and North America. More concerning, survey respondents appear to have unrealistically high levels of confidence in their current email security measures—despite clear evidence that those measures are routinely failing to stop today’s most advanced email scams.

A Region Beset by BEC Scams

The cost and scale of this issue may be more far-reaching than previously understood. Respondents In our survey paint the picture of a region plagued by BEC attacks, phishing-based credential harvesting scams, malicious payload campaigns and email-based extortion.

Their responses align with a growing body of evidence that things are going from bad to worse. In early November Europol’s European Cybercrime Centre (EC3) reported that advanced email attacks are now the primary attack vector for cybercriminals targeting EU companies.

But as Interpol’s new #BECareful campaign points out, the rise of more sophisticated, “frictionless” email attacks are the greatest cause for alarm. Often employing socially-engineered, plain-text messages, these malicious emails easily bypass most corporate email security systems undetected. According to our survey, 87% of European businesses were targeted by such sophisticated, low-tech email scams during the 12-month period ending in June.

Cloak Meets Dagger: Identity Deception Tactics

Survey responses also capture a snapshot of prevailing email spoofing techniques used by cybercriminals targeting organisations in this region.

Forty-six percent of the senior IT professionals report that phishing attacks they dealt with during the preceding 12 months included domain spoofing, which involves the use of an actual email address belonging to the impersonated identity in the “From” header.

This is in part driven by the fact that the region lags in implementing Domain Message Authentication, Reporting and Conformance (DMARC), the email authentication protocol that prevents unauthorised users from sending email from companies’ domains.

Perhaps more troubling, however, 53% percent of respondents suffered email attacks involving display name deception, an attack modality that entails impersonating a trusted individual or brand. Meanwhile, forty-one percent encountered email scams that used lookalike, or close cousin, domains to deceive recipients.

Key Differences in Pay-out Methods

According to a number of industry reports, gift cards now represent the primary pay-out method for BEC attacks on companies in the US. By contrast, nearly half (48%) of our European survey respondents say the traditional banking system is the payout channel of choice for email scammers targeting their organisations.

An “urgent” email request from someone who appears to be a trusted contact is often all it takes to manipulate a recipient into making a banking transfer to a fraudster’s account before recognizing they’ve been played.

Respondents report pay-out amounts sought in these scams fall into two categories: high-volume campaigns designed to steal a thousand pounds or less, and low-volume, highly targeted attacks intended to score £1 million or more.
While most attacks fall into the first category, the latter can be outrageously lucrative for the perpetrators. One recent BEC scam against a European subsidiary of automotive giant Toyota, for instance, resulted in $37 million in losses.

Then there are the other costs associated with successful email attacks. Phishing schemes that result in data theft cost UK-based organisations an average £3.18 million per incident. And that’s before any regulatory consequences. The Marriott-Starwood data breach, which investigators believe started with a phishing campaign, resulted in a $123 million fine under GDPR’s sweeping privacy protection rules, for instance.

Nation-state Email Attacks Expected to Soar

In addition to the significant financial and reputational damage associated with advanced email threats, European survey respondents fear email attacks from foreign operatives will emerge as a major threat to their organisations over the next five years.

In July, Microsoft notified 10,000 email users that their accounts were targeted or compromised in attacks sponsored by Iran, Russia and North Korea. And in October, the UK’s National Cyber Security Centre reported that together with China, these same countries rank among the nation-states most actively targeting organisations in the UK—particularly those in government, higher education and the tech industry.

While not necessarily focused on stealing money, these attacks can be far more costly than a few thousand, or even a few million, pounds. According to a study from Lloyd’s of London, a single state-sponsored cyberattack initiated through email could disrupt international business operations, utilities, transportation systems, banking networks and more—leading to as much as $193 billion in economic damage worldwide.

Misplaced Confidence in Existing Controls

Our survey delivered one surprising, and utterly confounding, insight. Despite rising BEC attack rates, mounting financial losses, and growing concerns over the risks posed by nation-states, 82% of senior European IT security professionals describe themselves as either “quite confident” or “very confident” in the email security controls they currently have in place.

Unfortunately, secure email gateways (SEGs) and the security controls built into cloud-based email platforms are no match for the kind of BEC scams and phishing campaigns that so easily evade defences. That’s because no matter how good gateway or perimeter controls may be, they’re simply not designed to detect attacks that spoof trusted senders and domains, carry no malicious payloads, and exploit recipients’ trust.

Learn more about the European BEC threat landscape and what security professionals in the region think is coming next. Download the 2019 Email Threat Survey Report: Europe Under Siege.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

July 7, 2020 Crane Hassold

Cosmic Lynx: A Russian Threat Hits the BEC Scene

“At some point, Russian and Eastern European cybercriminals are going to start thinking to themselves,…

Agari Blog Image

June 30, 2020 Michael Paiko

Agari Summer '20 Release: CISOs Gain Unique Threat Intel to Their Organizations

With business email compromise (BEC) scams up sharply amid the coronavirus pandemic, CISOs have been…

Agari Blog Image

June 22, 2020 Michael Paiko

Forrester: Agari Phishing Defense™ Works a 97% ROI Over Three Years

A new Total Economic Impact (TEI) Study from Forrester finds that Agari Phishing Defense™ (APD)…

Agari Blog Image

May 29, 2020 Ronnie Tokazowski

Business Email Compromise (BEC): W2 Scams Make an Unexpected Comeback in 2020

After barely registering a pulse last year, W2-based business email compromise (BEC) scams are back…

Agari Blog Image

May 19, 2020 Crane Hassold

Scattered Canary Cybercrime Ring Exploits the COVID-19 Pandemic with Fraudulent Unemployment and CARES Act Claims

Recently, news broke about how a sophisticated Nigerian cybercriminal organization has been committing mass unemployment…

mobile image