'Opting to just delete the email without reporting it can be almost as damaging'
Despite the increase of business email compromise (BEC) attacks over the past year, a new report has found that a "frighteningly low" number of employees are reporting such encounters.
Abnormal Security revealed that there has been an 81% increase in the BEC attacks between the first and the second half of 2022.
To make matters worse, employees are opening nearly 28% of received attacks between July and December 2022, with an average of 15% of these emails responded to.
Of further concern? Only 2.1% of all known BEC attacks are reported to their employers, with a massive 98% left unreported.
"On top of frighteningly low reporting rates for attacks, the majority of messages reported to security teams aren't even malicious," the report said. "On average, 84% of employee reports to phishing mailboxes are either safe emails or graymail."
Lack of response
Why? Employees believe that someone else will handle it and they fear that they could be reporting emails that aren't malicious attacks.
Some employees also believe that as long as they don't engage with the attacker, they have fulfilled their obligation to the organisation, according to the report.
"But security professionals know that opting to just delete the email without reporting it can be almost as damaging since it eliminates the opportunity for the security team to warn other employees about the attack," the report said.
The findings come as company executives believe that that their next cybersecurity breach will likely because of an internal staff error, according to a survey by EisnerAmper's Outsourced IT Services.
What are BECs?
A business email compromise (BEC) attack is a type of cybercrime where the scammer uses email to "trick someone into sending money or divulging confidential company info," according to Microsoft.
However, unlike other forms of email attacks, BEC attacks are "typically text-based," said Abnormal Security. They don't contain malicious URLs or dangerous attachments.
"The same techniques that have been used for thousands of years to con people are the same tactics that are used today for email attacks. The only difference is that criminals are using a computer to do it," said Crane Hassold, director of threat intelligence at Abnormal Security, in a statement.
The average cost of a BEC attack in 2021 around $120,000, according to the company, while 35% of cybercrime losses stem from BEC.
In Singapore, a total of $70.8 million was lost from organisations there due to BEC scams between January and May 2022.
Investing further in email security could also help, according to Abnormal Security, which can ensure that BEC attacks never reach employees in the first place.
"While security awareness training will help reduce the risk of employees engaging with a threat actor, it's even better to minimize the number of attacks they receive in the first place," the report said. "Any time an employee has to assess whether an email is malicious is an opportunity for them to make a mistake — and for an attacker to capitalize."