10 Must-Know Email Attack Stats for Cybersecurity Awareness Month

With new cyber threats emerging almost daily, being proactive is crucial—as is keeping up-to-date on email attack trends. Staying informed helps make your organization less vulnerable to attacks that can have costly consequences.

This is why Cybersecurity Awareness Month is so important.

This year marks the 20th annual Cybersecurity Awareness Month. Established in 2004 by the National Cybersecurity Alliance and the Department of Homeland Security, October is dedicated to raising awareness about the importance of cybersecurity. And there’s plenty for organizations to be aware of.

Here are 10 email attack statistics to keep in mind this October.

By impersonating trusted sources, business email compromise (BEC) attacks deceive employees into completing fraudulent financial requests or sharing sensitive information with threat actors.

Between 2022 and 2023, the number of sophisticated BEC emails rose by 55%. This is especially concerning since BEC is already one of the most financially devastating threats to organizations. From 2013 to 2022, the FBI Internet Crime Complaint Center (IC3) identified $51 billion in exposed losses due to BEC.

Further, organizations with more than 5,000 mailboxes face a 90% chance of receiving at least one BEC attack each week.

Threat actors are always looking for opportunities to exploit vulnerabilities in an organization’s security. Unfortunately, the weakest link in an enterprise’s cybersecurity chain is often employees, and, as a result, 74% of all breaches involve the human element.

Human error, privilege misconfigurations, and weak sign-in credentials all provide incursion points for attackers. Threat actors also leverage social engineering as part of their attacks, preying on the natural human tendency to obey authority to convince targets to engage with malicious emails.

From July to December 2022, text-based BEC attacks had a median open rate of nearly 28%. Even more concerning? Of the malicious emails that were read, an average of 15% received replies from employees.

Cybercriminals strive for engagement from their targets. What the figures underscore is how important it is for security teams to not only provide proactive and ongoing security awareness training but also implement tools to prevent emails from being delivered in the first place.

By co-opting the goodwill shared between organizations and their vendors, cybercriminals can use spoofed email accounts (or legitimate compromised email accounts) to deceive contacts into paying bogus invoices or updating payment details. These attacks, known as vendor email compromise or VEC, can be especially expensive.

The average VEC attack transfer request is usually less than $150,000. However, some attacks can request significant sums—like a $36 million VEC attack detected and stopped by Abnormal.

Between January and June of 2023, nearly half of all organizations received at least one VEC attack. Advertising and marketing agencies are particularly susceptible to VEC attacks, with 77% being targeted by a VEC attack in this same period.

Generative AI has sparked new concerns regarding cybersecurity. Grammatical errors, misspellings, and inappropriate tone have long been telltale signs of cyber scams. However, the wide availability of generative AI tools (including ChatGPT and its more nefarious cousins, WormGPT and FraudGPT), is helping the bad guys produce more convincing emails. This makes for more devastating social engineering and phishing attacks.

Cybercriminals seem to be early adopters of generative AI, with a 47% surge in phishing attacks leveraging AI in the last year. Additionally, a whopping 91% of cybersecurity professionals report experiencing AI-powered cyberattacks.

It’s been 20 years since the inaugural Cybersecurity Awareness Month, and in that time, organizations have made significant strides to improve training and upgrade defenses. But that doesn’t mean the bad guys haven’t evolved too.

With BEC and VEC attacks on the rise and the opportunity for threat actors to improve the quality of their social engineering tactics with generative AI, it is vital that organizations prioritize more robust forms of education and cybersecurity technology. Examples include training to identify potential AI-generated messages, review best practices regarding sensitive information, and explore what steps to take before initiating a financial transfer.

Of course, it’s better to stop malicious emails before they reach employees in the first place. That’s where Abnormal comes in. Abnormal’s behavioral AI-based security platform stops sophisticated inbound email attacks and dangerous email platform attacks that evade traditional solutions. This includes BEC, VEC, malware, and even phishing and social engineering emails written by generative AI.

For valuable information and tools that can help you maximize the impact of Cybersecurity Awareness Month in your organization, download our resource kit.

And to see how you can take your email security to the next level and keep your end users safe all year long, schedule a demo of Abnormal.