43% of UK small and medium-sized enterprises (SMEs) in the United Kingdom have experienced a business email compromise (BEC) or email impersonation attack in the past 12 months, according to a new study by data analytics firm, CybSafe.
For the study, CybSafe surveyed 250 IT decision makers from SMEs in the United Kingdom and asked about the cybersecurity incidents they had experienced and the measures they have put in place to thwart attacks.
BEC attacks – where a compromised email account is used for further attacks on the organization – and email impersonation attacks – where the email account of an employee of a company is spoofed – have a high success rate and pose a serious threat to businesses.
These phishing attacks are hard for employees to identify as malicious. Most employees are aware that they should exercise caution when opening emails from unknown senders, but they often let their guard down if an email is received from a colleague, friend, family member, or other known individual.
Phishing is now the main way that cybercriminals gain access to the networks of SMEs. The attacks are easy to conduct, require little in the way of technical skill, involve little to no financial outlay, and they can be very profitable. All it takes is for one employee to respond to a phishing email for an attacker be able to access to sensitive information and gain a foothold in the network.
Email security solutions can be implemented to protect against attacks, but some emails will invariably sneak past those defences. It is then up to employees to identify the emails as malicious.
It is therefore important to ensure that the workforce is provided with security awareness training. All employees should be made aware of the risk of email-based attacks and should be taught how to identify phishing and other malicious emails.
However, the survey suggests many businesses in the UK are neglecting this important anti-phishing measure. Only 47% of surveyed IT decision makers said they had implemented a cybersecurity training and awareness program. Out of the companies that had provided training, in many cases it was simply a checkbox item for compliance. The companies have not demonstrably reduced risk.
The findings of the survey have been backed up by a study by insurance giant AIG, which reports that business email compromise attacks are now the main reason for cyber insurance claims being made in the EMEA (Europe, Middle East, & Asia) region. 23% of cyber insurance claims are for business email compromise attacks and a further 8% of claims are made for impersonation fraud. Ransomware attacks accounted for 18% of claims, and other malware attacks accounted for a further 6%.