Threat Report: BEC and VEC Attacks Continue to Surge, Outpacing Legacy Solutions

While the way we work has evolved throughout the digital age, two constants remain: email is still the primary hub for professional communication, and employees are the weakest link in your cybersecurity chain. This combination creates a convenient opportunity for enterprising threat actors willing to put in extra time for a big payday. Unfortunately, our research shows more cybercriminals are deeming the effort worthwhile.

According to our H2 2024 Email Threat Report, business email compromise (BEC) attacks grew by more than 50% between H2 2023 and H1 2024, and an average of 41% of customers were targeted by VEC attacks every week between January and June 2024.

Keep reading for more insights from our latest report on the email threat landscape.

Business email compromise (BEC) attacks aren’t the easiest cybercrime to commit. Instead of casting a wide net and hoping to catch a few off-guard recipients, threat actors focus their time and energy on deceiving a single, high-value target—such as an employee with access to financial operations and other critical data. But, while these attacks are time-intensive and require meticulous research, they only have to work once for cybercriminals to rake in a hefty reward or gain access to sensitive data.

By learning as much as possible about their targets through public resources like LinkedIn and leveraging a compromised email account or lookalike domain, BEC attackers can effectively impersonate someone their victim knows—like a colleague or manager—and trick them into taking action. And with generative AI tools at their disposal, it’s easy for threat actors to craft credible-sounding messages that reflect the style and tone of the individual they’re mimicking.

Additionally, the fact that they’re a low-volume threat works in attackers’ favor since they don’t create any spikes in activity that might otherwise tip off email monitoring. Plus, they rarely include malicious links, attachments, or other signs that traditional security tools are programmed to detect.

Given how easily BEC attacks fool security solutions and security-aware employees, it’s no surprise they’re becoming a favorite strategy among cybercriminals. Since the FBI Internet Crime Complaint Center (IC3) began tracking BEC in 2015, attacks have surged by more than 1000% and caused total losses of more than $14.3 billion. In 2023, organizations forked out more than $137,000 per incident.

And while BEC attacks on global enterprises might make the news, smaller organizations’ limited cybersecurity budgets make them a prime target for threat actors too. Between H2 2023 and H1 2024, BEC attacks on smaller organizations jumped by nearly 60%, from 5.6 attacks per 1,000 mailboxes to 8.8.

In other words, no organization is immune to this rapidly growing threat.

Like BEC attacks, vendor email compromise (VEC) is a high-effort yet high-reward strategy that leverages social engineering tactics to exploit employees’ trust. Instead of impersonating an internal employee, however, VEC threat actors pose as service providers, suppliers, distributors, or other vendors and convince targets to pay phony invoices or change banking details in their accounting system.

Although this type of threat only makes up a small fraction of advanced attacks, it’s becoming increasingly common. Because every company an organization works with creates another possible entry point, there are numerous potential vulnerabilities for cybercriminals to exploit. So, even if an organization takes every possible precaution, it may still fall victim to a vendor’s negligence.

All it takes is for an attacker to gain access to one account in an organization’s vendor ecosystem, and they can easily deceive targets into taking action. And, because these emails come from legitimate accounts, they can easily evade legacy email security solutions. In some cases, attackers have even hijacked existing threads, making it almost impossible for an employee to recognize the email as a threat.

Although all organizations are at risk, our research found nearly 70% of retail and consumer goods manufacturers experienced at least one VEC attack in the first half of 2024, along with more than 68% of construction and engineering firms. Both industries manage a high volume of email and complex networks of vendors and supply chains, which means cybercriminals have plenty of opportunities to stealthily commandeer communications without ringing alarm bells.

Because they require careful research and technical knowledge, BEC and VEC attacks still occur less frequently than other advanced attacks. That said, they can also be among the most destructive. Additionally, as the use of generative AI grows and more malicious generative AI tools enter the market, we’ll likely see even more cybercriminals leveraging BEC and VEC to slip past security and wreak havoc on organizations of all sizes and sectors.

These attacks are virtually undetectable to the average employee and consistently undermine legacy security tools, making it essential to adopt a more advanced email security platform. Modern solutions using AI-native detection can pick up on anomalies that secure email gateways (SEGs) miss, preventing them from reaching end users or giving them time to engage.

For more insight into the state of BEC and VEC attacks and the current email threat landscape, download our H2 2024 Email Threat Report.