ACID | Agari

Business email compromise (BEC) has grown into a billion dollar industry as cybercriminals use look-alike domains and display name deception to trick employees into revealing sensitive information, depositing money into criminally-owned bank accounts, and sending thousands of dollars in gift cards via email—all without ever touching a legitimate email account. When these criminals do gain access to an employee email account and use that access to spy on communications, gain knowledge of business operations, and send attacks on behalf of that employee, the damage can be much worse.

Have you ever received a blank email from someone you don’t know? If you have, it may have been from a cybercriminal making sure your email account is legitimate prior to a Business Email Compromise (BEC) attack. Agari and PhishLabs define BEC as any response-based spear phishing attack involving the impersonation of a trusted party to trick victims into making an unauthorized financial transaction or send sensitive materials.

DMARC adoption rose a tepid 1% in the first quarter of the year, with the rate of growth slowing compared to the last three months of 2018, according to our latest report on email security trends. That said, nearly 90% of Fortune 500 businesses remain unprotected against email-based impersonation attacks targeting their customers, partners, and other businesses. But Australian companies lead their peers around the world in putting the public at risk.

There is no denying that business email compromise (BEC) is big business, with losses exceeding a billion dollars in the United States in the last year alone. Globally, BEC attacks have cost more than $13 billion in the last five years. Chances are likely that you’ve probably been a recipient of one of these social-engineered emails yourself. But the question remains… who is behind these increasingly sophisticated email attacks, and why did they become so popular in recent years?