The renaissance of business email compromise?

Reporting of business email compromise and phishing was way up in 2022. Why? How? And what does it mean?
17 April 2023

Does a rise in reporting signal a triumphant comeback for an old form of cyberattack?

Getting your Trinity Audio player ready...

In this day of super-duper slick cybersecurity, it comes as something of a shock to discover that in 2022, business email compromise doubled in frequency of successful attacks.

That’s the lead finding of research into cyberthreats to business across 2022 by the Secureworks Counter Threat Unit. And while business email compromise and phishing surged, ransomware attacks actually fell by 57% around the world.

The whole thing sounded fishy to us, so we sat down with Mike McLellan, Director of Intelligence at Secureworks, to find out exactly what gives with the recent cyber-threat landscape. Does it really indicate a renaissance for business email compromise? Or is there a more subtle truth behind the data?

An increase of compromise?


Business email compromise has been around for decades – how come it’s still thriving in the 2020s? How come its use is actually doubling?


It goes back at least a decade, yes. Variations of it existed before then, but there’s clearly been an increase over the years. In 2022, it cost businesses around $2.7 billion, according to the FBI.

So, there is a lot of it happening. And that’s just the attacks the FBI hears about.

In terms of why we’re seeing more incidents, the numbers are probably largely because organizations’ response plans are more mature. They are prepared for these incidents now, and they are actually investigating them and trying to figure out how they happened. I think awareness of it as a threat has also increased, which is good from our perspective, because it means more organizations are trying to deal with it.

So I think what we’re seeing is a natural reaction to many years when it was underreported and underappreciated. I think that’s starting to change. And that’s why we’re seeing more and more incident response engagements that involve it.

Even though it doesn’t grab the headlines like ransomware does, business email compromise is still a very, very significant threat. And some organizations don’t take seriously. We’re not seeing business email compromise displace ransomware as a threat. It’s not a replacement for a potentially declining number of ransom engagements – the two are unrelated.

But we are seeing more and more organizations decide to invoke incident response to try and deal with it as a problem. That’s probably the main reason why we’re seeing more of it. And we’ll see if it’s a trend that continues this year.

A false renaissance?


So despite the doubling of reporting, we don’t think business email compromise is suddenly catching the imagination of cybercriminals and they’re all surging to it? It’s just that more companies are going, “Oh, this thing? Yes, we really should have a look at this.”


I think so. I mean, there potentially are more people involved in it, because they’re seeing how lucrative it is. But it’s not like we’ve suddenly seen this appear out of nowhere as something that criminals are doing. As we mentioned, they’ve been doing it for a long time. They probably have got more sophisticated at it and more efficient, and can therefore conduct more attacks. But mostly, I think it’s because we’re seeing better reporting of it, better appreciation of the threat, and more mature response plans.


Not so much a renaissance of business email compromise then, as a growing up of security responses.

There’s also been a rise in the number of phishing cases in 2022, hasn’t there? It’s a strange time, because on the one hand, phishing should be extinct by now, but it’s gone a little up-market with social engineering elements and so on. Is that what’s behind the rise in reported cases?

Phishers of men?


With phishing, it’s not just a case of people being more aware of it. In our data, the increase in phishing as the initial access point for attacks this year has been driven in large part by the increase in BEC (business email compromise) incidents, because most BEC cases now happen through phishing as the initial channel of access. That’s probably skewed our data a bit, but your point is very valid – we’ve seen some really sophisticated phishing kits this year, there’s clearly been innovation on the part of criminals about how they conduct social engineering, how they phish people.

It’s amazing, the patterns that collated data can reveal. It looks as though as more organizations are implementing MFA (multi-factor authentication), we’re seeing more and more sophisticated attacks that aim to bypass that control. So, for instance, last year phishing was very much second place to exploitation of vulnerabilities as an initial access vector. This year, it’s joint first place in our data.

There may be a little bias there because of the rise in the BEC numbers, but phishing and vulnerability exploitation are still by far the most common things that we see. So, along with multi-factor authentication, they’re the two things we regularly recommend patching to mitigate.

The upside of increased threat.


Ahh, the never-ending arms race. The more you apply multi-factor authentication, the more they try and get around the measures in place.


Exactly. And I think the increase in attacks aimed at getting around MFA is a good thing, in a sense.


You’re… going to have to walk us through that one.


Well, the message for a long time has been “Do something. Do some kind of second factor authentication.” That message has clearly started to land, and as a result, we’ve seen criminals have to adapt. So from our perspective, that’s a good thing. We’ve imposed a little bit of cost on the criminals, we’ve forced a change in behavior.

Now, we’re seeing attacks that target the most basic forms of MFA, the ones where you just have to click accept or deny, whereas the recommendation these days is to use something where you actually have to input a number, so you have to be in front of the device that’s being used authenticated. So in that game of cat and mouse, more organizations are protecting themselves against credential-based attacks.

That means criminals are having to innovate and adapt. That is very much a good thing. And now we’re in a position where, by making small incremental improvements, like changing the type of MFA, rather than having to roll it out, which was the big thing, the big challenge, we can really start to make it much harder for criminals to conduct attacks that rely on stolen credentials. So yeah, it’s really good. It’s a good trend to see that we’re forcing threat actors to adapt to something that organizations are doing.

It’s somewhat rare that we see that, so it’s good, definitely.


In Part 2 of this article, we’ll delve into other new data about attacks and defenses from the latest Secureworks report. What else could there possibly be to know?…