93 percent of organizations suffer business email compromise attacks
The threat of business email compromise (BEC) is growing year on year and is projected to be twice as high as the threat of phishing in general.
According to a new report from cloud email security platform IRONSCALES, over 93 percent of organizations have experienced one or more of the BEC attack variants in the previous 12 months, with 62 percent facing three or more attack variants.
What’s more, 43.3 percent of respondents from large enterprises expect these BEC attacks to increase over the next 12 months. The report also goes on to reveal that finance employees and C-level executives are the two groups subject to the most frequent BEC attacks. However, around half of all groups report experiencing BEC attacks either daily, weekly, or monthly.
Fake invoices, data theft, and account takeover are the most common types of BEC attack. One in five organizations have experienced these types of attack in the past 12 months. Two in three organizations have faced three or more types of BEC attacks over this time, with data theft attacks occurring at the highest frequency.
The technology with the most to offer in terms of detecting and remediating BEC attacks that secure email gateways (SEGs) miss or classify as safe, is AI-powered anti-phishing tools. However, the report shows that only 55 percent of organizations are currently using such tools.
"The findings of this report should leave no doubt as to the scope and severity of today's business email compromise problem," says Audian Paxson, director of technical product marketing at IRONSCALES. "And yet, we find that many organizations remain ill-equipped to defend against this rising threat. The continued reliance on legacy email security solutions, such as SEGs, places organizations at significant risk. This report drives home the need for organizations to re-examine their approach to BEC security, by incorporating AI-enabled solutions that work in concert with regular phishing simulation testing and security awareness training. Employees should be part of the solution, not a liability."