There is little doubt that business email compromise and other advanced email threats are causing significant damage–both financial and reputational—to organizations worldwide. Because these never-before-seen attacks contain few indicators of compromise, they evade secure email gateways and other traditional email infrastructure, landing in inboxes where unsuspecting employees fall victim to their schemes.
Cybercriminals steal billions each year. In fact, the FBI reported that $4.2 billion was lost last year alone—increasing the five-year total to $13.3 billion. It appears that not much will change in 2021.
In new research published today, Abnormal discovered a significant increase in both credential phishing and brute force attacks—both of which are attempts to gain access to email accounts. Once accessed, those accounts can be leveraged to send additional attacks on coworkers, partners, and vendors, and provide the credentials necessary to infiltrate other parts of the organization.
In a typical week, we observe brute force attacks targeting about 10% of companies. However, starting in May and ending in mid-June, the percentage of attacks increased by 160% to the highest-ever recorded weekly average of 26%. This means that a quarter of all companies were being targeted by brute force attacks on a weekly basis as cybercriminals attempted to take over their email accounts.
Perhaps most interestingly, during the peak of activity in the week of June 6, 2021, the rate of those attacks rose 671% over the previous weekly average as threat actors targeted 32.5% of all organizations with brute force attacks.
But that isn’t all. Over the course of the second quarter, we also saw an increase in credential phishing, moving from 66% of advanced attacks in Q4 2020 to over 73% of attacks in Q2 2021. While we can’t be certain, this is likely due to the fact that once criminals have access to an internal email account, they can use that account to launch more dangerous and more targeted emails.
Credential phishing may have increased in large part due to the prevalence of vendor email compromise—which rose for the fourth consecutive quarter. In order to commit vendor email compromise, threat actors must first gain access to a vendor account. From there, they can hijack existing conversations to send fraudulent invoices or update bank details.
When it comes to company size, vendor email compromise tends to target larger organizations, with those over 20,000 employees having the highest probability of receiving a VEC attack. Organizations under 5,000 employees experience VEC attacks only once every five weeks, but that number shoots up to nearly every other week for organizations over 20,000 employees. This could be because these larger organizations have more vendors and thus more opportunities for compromise.
And let’s not forget the main event—business email compromise. This attack type grew by an additional 22% over the last half. After a relatively slow start to the year with a median of only .2 campaigns per 1,000 mailboxes, we saw a significant rise in attacks as threat actors came back from their winter holiday. It picked up in the spring, before spiking in mid-June, doubling in attack numbers and hitting its peak of .41 campaigns.
The success of BEC has much to do with the impersonation of known individuals—typically a trusted executive, colleague, or vendor. In fact, not much has changed over the past three quarters when it comes to employee and VIP impersonation, as cybercriminals continue to take advantage of unsuspecting employees.
That said, we’ve seen a significant decrease in the number of attacks that are impersonating random individuals, as those attacks dropped from 45% to 34% of all BEC attacks over the past two quarters. Where we did see the biggest increase is in impersonation of official brands and internal automated systems.
There was a 46% increase in spoofs of automated systems, with emails typically coming from aliases like IT Support or IT Help Desk. These generic emails encourage people to download additional software, click on a link, or enter information into an external website. Each method creates an opportunity for cybercriminals to gain access to internal accounts or organizational systems, from which they can launch further attacks.
All of the data points to continued increases in all types of advanced attacks—particularly those that can’t be detected by traditional security infrastructure. Because they typically lack traditional indicators of compromise, these attacks are difficult to detect and even harder to prevent. Once they reach inboxes, the last line of defense is your employees, who are prone to error when confronted with a socially-engineered email designed to take advantage of their emotions. And when attackers gain access to full email accounts through brute force attacks, they have the keys to the entire cloud kingdom in their hands.
While we anticipate that these attacks will continue to increase, both in volume and in repercussions, they can be stopped. With the right solution—one focused on understanding the normal to prevent the abnormal—you can ensure that your employees, and your entire organization, are protected from the most dangerous email threats.
Abnormal is the email security company that stands for trust.
© 2021 Abnormal Security Corporation.
All rights reserved.