The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Phishing, BEC Scams Netting $80,000 On Average in 2020

by Chris Brook on Tuesday September 1, 2020

Contact Us
Free Demo
Chat

A recap of recent phishing activity trends found a decrease in detected phishing sites but a big increase in Business Email Compromise attack losses, around $80 million per attack.

While the number of phishing sites are reportedly going down in the pandemic, losses associated with sophisticated attacks like Business Email Compromise (BEC) scams continue to rise.

According to the Anti-Phishing Working Group, a nonprofit group that works to analyze phishing actvity trends, there was a noticeable uptick in the average cost of a wire transfer via a BEC attack, from $54,000 in the first quarter of 2020 to $80,183 in the second quarter.

The higher demands run counter to fewer number of phishing websites uncovered by APWG's contributing members, 46,036 websites in June, compared to 48,951 in April and 52,007 in May. In fact, June marked the month the fewest number of phishing sites were found by APWG members.

The numbers are via the group’s Q2 report (.PDF) which summarizes activity from April to June, and was published last week.

BEC attacks can take a couple different forms but essentially involve an attacker tricking an executive into making a financial transaction or sending along sensitive data.

Agari, one of the companies that helps feed the AWPG statistics on phishing trends, said it saw BEC attackers request an average of $1,213 from gift cards during Q2 of 2020, adding that attackers usually request funds in the form of gift cards in 66 percent of BEC attacks; 16 percent are payroll diversions, 18 percent are direct bank transfers.

The numbers around gift cards makes sense, especially when you consider that $1,200 is not an earth-shattering amount. The attacks are not as profitable as say a wire transfer but have a "decent chance of success, because they can be approved by multiple people in a medium-to-large company, and the amount is small enough to slip by some companies’ financial controls,” the report points out.

As noted before, attacks involving wire transfers did jump though, from $54K to $80K, likely taking advantage of the fact that many executives are working from home now, something that could cause them to either not read an email fully or be easily distracted and follow through with an attackers’ demands.

The report also recaps which websites are the most targeted - SaaS and webmail sites accounted for 35% of all attacks but social media attacks also saw an increase (20 percent over Q1) due to attacks against Facebook and WhatsApp.

Other findings by the report include an increase over time in phishing sites protected by HTTPS, something that makes links to sites look legitimate. One of the companies cited in the report, PhishLabs, found that 77.6% of phishing sites in Q2 of 2020 used SSL/TLS certificates.

Tags: Phishing

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.