28% of BEC Attacks Opened by Employees, New Data Shows

Since business email compromise attacks first started in the mid-2010s, they’ve created challenges for organizations worldwide. These text-based emails often bypass traditional security tools, and attackers have found increasingly savvy ways to trick employees into providing them with money and access to valuable data.

Today Abnormal released our H1 2023 Email Threat Report, focused on data from July to December 2022. The report examines recent developments in the email threat environment and focuses on the growing risk employees pose to cybersecurity.

If your organization relies on employee reporting to understand the full extent of attack frequency, we have bad news: only 2.1% of all known attacks are reported.

In the last six months of 2022, the average weekly number of BEC attacks per 1,000 mailboxes was 104. That means in a mid-market enterprise with 1,500-2,000 employees, every workday there are 30-40 attacks not reported to the security team. For organizations over that threshold, the number can be much, much larger.

On top of frighteningly low reporting rates for attacks, the majority of messages reported to security teams aren’t even malicious. On average, 84% of employee reports to phishing mailboxes are either safe emails or graymail. All this means that your security team is spending their time on emails that don’t matter, while those that are malicious stay in employee inboxes.

There are a variety of reasons why an employee may choose not to report a potential attack.

The Bystander Effect

Though most often applied in emergency situations, the bystander effect also pertains to any environment in which multiple individuals are facing the same issue. This phenomenon can be summed up in five words: “Someone else will handle it.” Essentially, employees assume that they aren’t the only target of an attack and they don’t need to report the email because (surely) a coworker already has.

What should be emphasized is that even if a threat actor targets multiple employees in an organization, the sooner a malicious email is reported, the sooner all related messages can be remediated.

No Harm, No Foul

Some employees may believe that as long as they don’t engage with the attacker, they have fulfilled their obligation to the organization. But security professionals know that opting to just delete the email without reporting it can be almost as damaging since it eliminates the opportunity for the security team to warn other employees about the attack.

Employees need to understand that a message that they immediately recognize as a phishing attack or attempted invoice fraud may not raise any red flags for a colleague. And if they don’t report it, the threat actor can move on to their next target within the organization.

Fear of Being Wrong

The data shows that most reported emails are not actually malicious attacks. Knowing this, some employees may feel that they are not equipped to tell the difference between a safe email and an attack, and rather than submitting a report just in case, they decide not to—either out of fear of embarrassment or because they simply don’t want to create needless work for the security team.

When the consequences of a successful attack can be so costly, creating an environment where employees err on the side of “better safe than sorry” can be crucial.

Not only are employees neglecting to report attacks they encounter, but they are also engaging with these malicious emails at an alarming rate.

Between July and December 2022, we monitored the email environments for hundreds of organizations of various sizes in multiple industries. These companies had implemented Abnormal Inbound Email Security in passive, read-only mode, which means the Abnormal platform was integrated with the organization’s mail client but not actively blocking attacks.

During this period, the median open rate for text-based business email compromise attacks involving the impersonation of internal executives and external third parties was nearly 28%, with an overall average read rate of 20%. Even more concerning was that, of the malicious emails that were read, an average of 15% were replied to.

Further, while only 0.28% of recipients engaged with more than one attack, over one-third of replies were initiated by employees who had previously engaged with an earlier attack.

While it is impossible to know why this is, there are a few reasons why an employee might become a “repeat responder.”

Perhaps they didn’t receive sufficient training after the first incident. Employers should not assume that once an employee has experienced the negative consequences of falling victim to an attack, no additional coaching is needed to avoid repeating the error. In fact, as threat actors change their tactics, security awareness training is more important than ever before.

Another explanation could be that these employees are targeted by a greater volume of attacks—particularly if they work in finance. Even with adequate follow-up training, if an employee is bombarded with malicious emails at an above-average rate, the chances of them mistaking an attack for a valid email also increase.

And finally, there’s the possibility that after falling victim to an attack once, an employee may adopt the attitude that “lightning never strikes the same place twice.” In other words, rather than becoming more vigilant, they erroneously believe they won’t be targeted again.

While professional services providers, educational institutions, and religious organizations received the highest volume of attacks during the last half of 2022, employees at these businesses were not the most likely to read and reply to malicious emails.

Our data showed that it was actually employees at transportation providers, automotive enterprises, and healthcare organizations who were most likely to reply to attacks.

Historically, transportation providers have focused more on physical security than cybersecurity. In fact, it’s only within the past five years that CEOs have started reporting cybersecurity as a top priority—and usually only after experiencing a major security incident.

For users in this industry, there is generally an increased sense of urgency with respect to maintaining operations. Resolving an issue quickly (whether that’s providing information or settling an outstanding balance) can mean the difference between business as usual and a catastrophic disruption in services. As a result, they may be more willing to reply to emails than employees in other industries.

While professionals in any industry are fighting an uphill battle against email attacks, employees at automotive enterprises are at a particular disadvantage. The names, positions, and contact information for employees at all levels (including executives) as well as the organizational hierarchy for auto groups are usually easily accessible—often on the company’s website. These are all details cybercriminals can easily leverage to make convincing socially-engineered attacks. In addition, automotive groups rely on complex supply chains and vast vendor ecosystems, which means attackers have ample third parties to impersonate and vulnerabilities to exploit.

And finally, employees at healthcare organizations are also at a greater risk of falling victim to socially-engineered attacks, albeit for different reasons. The healthcare industry tends to attract individuals who have a stronger desire to help others—a characteristic that cybercriminals will gladly use to their advantage. Further, there is a high rate of turnover in larger healthcare organizations and hospital systems, so employees are less likely to know their colleagues personally, making impersonation easier.

Your employees are your greatest asset. They also pose the greatest risk to your organization’s security. And when it comes to email attacks, the odds are stacked against them. While employees have to be right 100% of the time, threat actors only need to be right once—and attackers know this.

Because advanced email attacks like business email compromise and supply chain compromise exploit trusted email accounts and relationships, organizations need email security that can detect even small shifts in activity and content. The most effective email security platforms baseline known-good behavior across employees and vendors, and then detect and remediate malicious emails to prevent end-user engagement. By doing so, they can block these attacks before employees have to make a choice on whether to read, reply to, or report them.

For even more insight into the current email threat landscape, download our latest email threat report today.