Threat Report: BEC and VEC Attacks Show No Signs of Slowing
While novel threats like QR code phishing are undeniably gaining momentum, cybercriminals have by no means abandoned their tried-and-true attack strategies. Research shows that the frequency of business email compromise (BEC) and vendor email compromise (VEC) has consistently trended upward year after year.
BEC and VEC attacks are specifically designed to circumvent both users’ common sense as well as traditional security measures. Utilizing text-based emails with no traditional indicators of compromise allows threat actors to easily evade legacy email security solutions. And leveraging cunning social engineering techniques enables cybercriminals to establish trust and manipulate targets. This one-two punch has brought attackers continued success, which is likely why BEC and VEC have maintained their momentum.
In our latest Email Threat Report, we examined noteworthy trends and recent developments in the attack landscape, including the persistent sustained growth of business email compromise and vendor email compromise.
BEC Attack Frequency Doubles in 2023
Just as organizations utilize business intelligence to more effectively target customers, modern threat actors conduct extensive research to determine how best to execute business email compromise attacks. By leveraging information on LinkedIn, SEC disclosures, and even the target organization’s website, cybercriminals can create convincing emails that are more likely to trick employees—and at increasing volumes.
In 2023, BEC attacks skyrocketed, with monthly attacks per 1,000 mailboxes more than doubling to 10.77, a staggering 108% increase compared to 2022. The rate of these attacks peaked in October with a monthly average of 14.57 attacks per 1,000 mailboxes.
According to FBI IC3 data, the average cost of a successful business email compromise attack is more than $125,000. Thus, while BEC accounts for a smaller percentage of all email attacks, it can yield a massive ROI for cybercriminals. In fact, business email compromise stands as one of the most financially devastating cybercrimes, resulting in losses of $2.7 billion in the previous year alone.
Larger Organizations Have Highest Probability of BEC Attack
Perhaps unsurprisingly, the largest organizations face the greatest risks of BEC, as more employees means more potential targets. Organizations with 50,000 employees or more have a nearly 100% chance of experiencing at least one BEC attack every week—the highest probability of any organization size.
Although the largest enterprises recorded the highest weekly probability of receiving a BEC attack, the data shows that organizations of every size are all at considerable risk of business email compromise. Organizations with a minimum of 1,000 employees have anywhere from an 83% to 97% chance of being targeted by BEC each week.
Even the smallest organizations with fewer than 1,000 employees have a 70% weekly probability of experiencing at least one BEC attack per week. This is a testament to the fact that no organization is beyond the scope of a bad actor launching BEC attacks.
Vendor Email Compromise Jumps 50% Year-over-Year
A subset of BEC, vendor email compromise involves the impersonation of vendors to deceive targets into making payments for fake invoices, initiating fraudulent wire transfers, or updating banking details for future transactions. Given that vendor communications frequently revolve around payments, distinguishing these attacks from genuine emails can be extremely challenging.
In 2022, a quarter of Abnormal customers were the target of at least one vendor email compromise attack each month. In 2023, this value increased by 50%, with nearly 40% of Abnormal customers experiencing a monthly VEC attack.
The vendor-customer dynamic has an inherent financial element built into it, and invoices, billing accounts, and upcoming payments are often discussed via email. Consequently, malicious emails seemingly from vendors requesting payment for overdue invoices or changes to bank account information may not be immediately flagged as suspicious.
Attackers Target Construction and Retail Industries for VEC
Attackers clearly had their preferred targets for VEC in the second half of 2023. Organizations in the construction and engineering industry topped the list, with 76% of Abnormal customers in this vertical receiving at least one vendor email compromise attack. Not far behind were retailers and consumer goods manufacturers, 66% of which were targeted by VEC during July–December 2023.
Modern construction projects rely on a network of numerous digital systems dispersed across multiple job sites and offices—creating an expansive attack surface. Coordinating major projects involves the continuous sharing of sensitive data among many parties, providing ample opportunities for threat actors to hijack conversations.
Retailers and consumer goods manufacturers have complex and interconnected supply chains, where every vendor email account represents a potential access point for attackers. Additionally, operating these organizations typically involves a high volume of emails, offering attackers chances to blend in with legitimate communication.
Combatting the Persistent Threat of BEC and VEC Attacks
It’s clear that email threats are only going to grow in frequency and complexity—especially now that the proliferation of generative AI tools has made it easy for even novice cybercriminals to craft complex business email compromise and vendor email compromise attacks.
Because BEC and VEC attacks exploit trusted email accounts and relationships, organizations need an email security solution that can detect even small shifts in activity and content. Unlike secure email gateways (SEGs), modern platforms use AI-native detection engines to ingest, analyze, and cross-correlate behavioral signals to spot anomalies in email patterns that indicate a potential attack, and then remediate malicious emails in milliseconds to prevent end-user engagement.
For more insight into the current email threat landscape, download our H1 2024 Email Threat Report.