Managing cyber risk: business email compromise attacks

In a business email compromise (BEC) cyberattack, a scammer accesses a user’s business email account to access the information within the user’s account and, more frequently now than ever before, exploits the user’s connections and reputation in order to trick the user’s colleagues, clients, customers, and other contacts into sending them money or confidential information. Victims can stand to lose confidential data, intellectual property, their identities, and millions of dollars.

With more than 20,000 related complaints filed to the FBI in 2022 alone, BEC has become one of the most widespread and lucrative forms of online crime. Institutions should learn to recognize it and help protect themselves.

BEC scammers typically pose as a trusted figure, sometimes even backed by fake websites or fraudulent business registrations in the figure’s name around the world. A scammer then might target:

The common denominator for all of these variations is email, which is the starting point for 91 percent of cyberattacks.  

Even a small BEC attack can cause significant damage. A single compromised email account may contain terabytes of information. Understanding what has been compromised can involve hiring a cyber forensics vendor to track every attachment the account has sent or received. Depending on the vendor and amount of data for manual review, costs can easily spiral into the millions of dollars.

A successful BEC attack can lead to other costly consequences:

From false invoices and diverted payments to fake accounts, cybercrime can be lucrative. Evaluating and remediating the results of an attack can be costly as well. 

Even the reasonable belief that the unauthorized access or acquisition of protected information has taken place can trigger a variety of data-breach notification laws and contracts. That can leave a company responsible for notifying hundreds or thousands of their customers, partners, or employees of their error — even those whose information might still be secure, spreading the impact to the company’s reputation and relationships. Regulators interpret data-breach notification laws strictly, and because of logging and licensure regulations, organizations may lack access to the evidence needed to prove which information is still safe.

Cybercriminals can use data collected from a BEC to launch other attacks, stealing HR information to identify other targets, or credentials to access other systems in the future, or even intellectual property to leak to the public.

In recent years, there has been a steady uptick in BEC claims, particularly those involving false invoicing and the misdirection of funds to scammers. According to the FBI’s Internet Crime Report, the Bureau’s Internet Crime Complaint Center (IC3) received 21,832 BEC complaints in 2022, with more than $2.7 billion in adjusted losses. This is an increase compared to both 2021, with 19,954 complaints and $2.4 billion in losses, and 2020, which saw 19,369 complaints and losses of $1.8 billion.

Other trends include an increase in targeting victims’ investment accounts instead of traditional bank accounts. According to the report, “[t]here was also an increasingly prevalent tactic by BEC bad actors of spoofing legitimate business phone numbers to confirm fraudulent banking details with victims.” Due to the rise in remote work provoked by the COVID-19 pandemic, criminals are increasingly using virtual meeting platforms to conduct BEC-related scams.

The profile of the BEC attacker is evolving as well. Successful ransomware attacks are trending down due to ransomware readiness and resiliency efforts by targets, and BECs are on the rise. As opposed to the relative sophistication of ransomware, BEC requires significantly less effort on the part of the hacker. While ransomware complaints were down 36 percent from 2021 to 2022, BEC complaints continue to rise yearly. Globally, attackers made some $2.7 billion from BEC attacks in 2022 versus the $34.3 million yield for ransomware.

Fortunately, there are ways to help protect yourself and your institution from dangerous BEC attacks. The FBI makes recommendations for individuals that can be helpful for companies looking to institute data hygiene practices, including:

Leveraging information hygiene and best practices can keep BEC scammers at bay. So can partnering with your insurance partner for cyber insurance protection. With a cyber insurance policy, BEC victims experiencing a covered loss can reach out to their carrier or a vendor trained to respond to BEC incidents and minimize business interruption losses, including extra expenses and financial impact from lost revenue.

Liberty Mutual’s dedicated underwriters, close partnerships with our clients and brokers, and expert mitigation and claim resources help us deliver cyber liability solutions appropriate to the individual needs of companies across geographies and industries.