Business email compromise overtakes ransomware as top cyber threat

Image: ivke32/Pixabay via IDGNS

Almost a quarter of AIG’s cyber claims in 2018 were BEC related



Read More:

9 September 2019 | 0

According to a new report from AIG, business email compromise (BEC) is now the main driver of cyber-insurance claims in the EMEA region. After BEC, ransomware was the second biggest offender in 2018, followed by data breach by hackers and data breach by employee negligence tied in third place.

The insurance giant analysed over 1,100 of its EMEA claims from the years 2012 to 2018 for the report. Almost a quarter (23%) of its 2018 cyber claims were BEC related; a significant jump from 11% in 2017.

BEC is “a crime of deception, misdirection and impersonation,” said Dermot Williams, managing director, Threatscape, speaking to “In many cases the fraudulent email originates from outside the targeted organisation, and their internal systems are never actually breached”.




In most cases, BEC can be traced back to a phishing email containing a link or attachment. Engaging with the email’s content may give an intruder access into the user’s inbox. The perpetrator can then send and receive emails from the victim’s email address. The attack is often exacerbated by malware that spreads the scam to contacts in the recipient’s inbox.

Simple, but effective

BEC is relatively simple, but effective. Attackers often target individuals that are responsible for sending payments. Others harvest data straight from the victim’s inbox.

“An email claiming to come from a superior, instructing you to make a funds transfer, is designed to manipulate you into acting against the interests of the business, and is sent by the attacker in the hope that the business does not have procedures to prevent such an email being acted on,” said Williams.

Speaking to, Pat Larkin, CEO, Ward Solutions, said: “For BEC to be really effective it typically needs a high degree of reconnaissance and targeting against a particular organisation on the part of the attacker.”  

Due to the high number of claims, BEC has entered the report under a new category this year. Larkin said that this reflects three things. Firstly, it tells us that “BEC is one of the most consistent and effective forms of attacks against business users.” Secondly, it yields considerable financial returns, that are “in our experience typically a larger return-per-attack than other categories, such as ransomware.” The “greater adoption of cyber-insurance by organisations has inevitably resulted in greater volumes of claims, and thus greater capture of data as to the types of attacks that organisations are experiencing based on these claims.”

While most are familiar with the pitfalls and perils of BEC, the number of incidents occurring each year is growing. Since September 2016, the US Treasury Department’s Financial Crimes Enforcement Network documented 32,000 cases of attempted theft via BEC attacks, to a total value of almost $9 billion (€8 billion). The number of BEC cases reported each month rose from 500 in 2016, to over 1,100 in 2018.

Tightening practices

Organisations have tightened security practices in response to cyber-attacks. Yet, the impact of human error should not be undermined. The report found that in 2018, claims due to employee negligence rose from 7% to 14%, year-on-year. Staff sending emails to the wrong recipient or losing devices linked to their work email are a significant driver of cyber claims.

How can businesses protect against BEC? “Organisations need to continue to invest heavily in ‘human firewalls’ – i.e. effective end user security awareness and training, a rigorous set of controls around validation, set up and change of payments and payees’ details,” said Larkin.

Organisations should also “consider simple quick wins around technical controls such as implementation of effective multi-factor authentication, along with stronger email controls such as implementation of DMARC, effective email content security etc.”

Williams concedes that there are some technological measures a business can take for protection. But these only reduce “the risk that staff might fall prey to this form of social engineering attack.”

“Mail servers should be configured to block emails coming from outside an organisation which claim to have originated from within, and adding a warning banner to all incoming external emails to highlight that they originated from an external and potentially untrusted source makes it easier for people to spot outsiders trying to pretend to be insiders.”

Improving staff awareness of protocol when dealing with suspicious emails can make an organisation less susceptible to attacks. Williams said top personnel should make it clear to “subordinates that they will never, ever request people to send money anywhere based on an email (or text message) alone. They must tell staff that they are not only empowered to say no to such a request – they are absolutely expected to.”

AI assisted

“If you think BEC is bad, just wait until you see what is coming next – AI being used to make phone calls that sound just like they are coming from your boss — with his or her voice speaking to you and instructing you to make a payment… that’s already happening and someone just lost £200,000 to such a fraud.”

“If your business policies allow an email message alone to action the transfer of funds outside the business – you are asking for trouble. Email can be faked. Email systems can be compromised. Verification by independent channels is essential. Even something as simple as a phone call greatly reduces the risk of being defrauded.” Williams said that a phone call to a number provided does not count, it must be a trusted number, preferably one that was pre-verified.

Williams said: “the fallibility of people is taken advantage of, not any cyber vulnerability. [BEC] is not cyber crime,” he said, “but fraud, plain and simple. If you don’t believe me – try claiming for BEC on a cyber insurance policy; you will quickly and politely be told to contact your fraud insurer instead.”

The AIG report warns that companies should double-check insurance policies, and review what they cover and what they exclude. BEC may not be included under cyber-insurance, but may be covered under generic crime insurance. As such, people are buying coverage to protect against a wider range of losses than ever before.

Incidence upswing

AIG dealt with more cyber-insurance claims in 2018 than the previous two years combined. Larkin said that this is likely due to organisations implementing mitigation strategies in response to identified risk, as well as supply chain requirements- “government and other procurement organisations are increasingly mandating that suppliers in their supply chain have cyber-insurance.”

“It’s important to stress that the cyber attacker and the types of attacks against organisations are constantly shifting and evolving as organisations and the industry deploy better and more sophisticated controls against a particular set of attacks based on intelligence and knowledge,” said Larkin.

BEC overtook ransomware as the top cause of cyber claims last year. At 18%, it was a major offender. In 2017, when ransomware was the leading breach type, it was responsible for 26% of claims.

“Ransomware is often easier for the attacker to industrialise, albeit with lower return per attack but higher volumes of attack [than BEC],” said Larkin. “Threat intelligence data from our own SOC and our partners – Q1, Q2 2019 has shown a resurgence in the amount, volume and evolution of ransomware attacks – whether they are effective only time and data will tell.”

Organisations have tightened security practices in response to cyber-attacks. Yet, the impact of human error should not be undermined. The report found that in 2018, claims due to employee negligence rose from 7% to 14%, year-on-year. Staff sending emails to the wrong recipient or losing devices linked to their work email are a significant driver of cyber claims.

Industry breakdown

The AIG report presented an industry breakdown of those leaning into cyber-insurance the most. Financial services firms have long been the hardest hit by cyber attacks, but last year, the professional services sector fared worse. Year-on-year, the number of claims stemming from professional services, including legal and accountancy firms, increased from 18% to 22%.

The financial services sector was responsible for 15% of the claims in 2018, down from 18% the previous year. These figures do not tell the whole story however, as AIG said the total claim notifications from financial services customers nearly doubled between 2017 and 2018. Clearly the sector is still highly targeted despite its sophisticated approach to cyber risk.

The data shows that a vast array of sectors, including retail, manufacturing, and healthcare industries fell victim to attacks last year; no industry is immune to attacks.

However, not all firms are taking the necessary precautions. Last year, AIG found that just 55% of Fortune 500 companies have cyber-security insurance. For small to medium businesses, this figure is even lower, at just 35%. Often those businesses are the most vulnerable, when smaller businesses experience major data breaches, 60% fold within six months.

Long-term, AIG expects that the frequency and severity of attacks across all industries will only continue to grow.

Ultimately, Larkin said that the report’s findings reflect “what Ward sees in the Irish cyber-security marketplace, and probably what most business users see in their inbox daily.”

Julia O’Reilly

Read More:

Comments are closed.

Back to Top ↑