Business email compromise (BEC), a type of phishing attack targeting companies and their employees, is more than 20 times as effective than the average phishing email, according to a report by Barracuda.

Barracuda’s new report is called Spear Phishing: Top Threats and Trends Vol. 3 – Defending against business email compromise attacks. According to the report, the average financial losses due to spear phishing attacks per organisation in the past year was $270,000 (about €245,000). Spear phishing is placing a targeted attack on certain organisations in order to obtain crucial data. With ‘normal’ phishing attacks, targets are often chosen randomly.

The BEC tactic has caused more than $26 billion in losses over the past four years, even though the tactic represents only seven percent of all spear phishing attacks. With such attacks, criminals try to recreate the behaviour of companies to the best of their ability. This goes very far: for example, mails are only sent during office hours. Also, as few people as possible are addressed at the same time in one organisation, so as not to appear suspicious. Just over 90 percent of the BEC attacks take place on working days, and on average the attacks target a maximum of six people. In almost all cases (94.5%), no more than 25 people were addressed.

Urgent requests lead to problems

More than four-fifths of these e-mails consist of urgent requests, which should tempt people to make hasty decisions. According to the report, these requests are often successful, and Barracuda states that the attacks have high click-through rates (CTR), on average as much as 10 percent. For BEC attacks where someone within the organisation is impersonated, the CTR even reaches up to 30 percent.

“Attackers continue to find new ways to make business email compromise attacks more convincing, ultimately making them more costly and damaging to businesses. Taking the proper precautions and staying informed about the tactics cybercriminals are using will help organisations defend themselves more effectively against these highly targeted attacks,” said Don MacLennan, SVP, Email Protection, Engineering and Product Management at Barracuda.