Business email compromise (BEC) threats are on the rise and now account for over half of all phishing attempts, with manufacturers particularly badly hit, according to Vipre Security Group.
The security vendor used proprietary intelligence to compile its Email Threat Trends Report: Q3 2024, published this morning.
It revealed that around 12% of the 1.8 billion emails that Vipre processed globally in the period were classified as malicious, with BEC accounting for 58% of phishing attempts.
In fact, BEC is often described as “pretexting” – a more complex form of phishing in which the threat actor crafts an elaborate back story to gain the victim’s trust.
Verizon claimed in its most recent Data Breach Investigations Report (DBIR) that it accounted for the majority of pretexting incidents last year, with pretexting present in 24% of financially motivated breaches.
Read more on BEC: Manufacturing Firm Loses $60m in BEC Scam
Vipre said that 89% of the BEC attacks it stopped involved impersonation of authority figures, which is unsurprising as this is a standard feature of such threats. However, it also highlighted a growing threat to manufacturers.
Some 10% of emails it processed in the sector were BEC, up from just 2% in Q1 2024. In total, over a quarter (27%) of emails were malicious in the manufacturing sector, the highest share of any vertical including second and third-placed energy (23%) and retail (10%).
“Manufacturing firms are often targeted for financial gain through social engineering campaigns that redirect vendor payments to fraudulent accounts. They can also serve as a pivot for downstream attacks, where unauthorized email access is used to phish other clients, such as by sending fake document requests to vendors in order to steal credentials,” the report noted.
“These attacks may be increasing because the industry relies heavily on mobile sign-ins at worksites, making employees more likely to fall for phishing attempts while ‘on the go’ and anxious to meet manufacturing deadlines.”
Interestingly, 36% of the BEC samples in Q3 were crafted by generative AI, according to Vipre.
The report also highlighted the persistent popularity among threat actors for URL redirects and malicious attachments, as a means to evades security controls and trick users.
Malicious attachments accounted for 64% of emails in the quarter, while only 36% employed a link.