Business Email Compromise Attacks Increased by 269% in Q2, 2019

Figures from Mimecast show there has been a sharp rise in business email compromise (BEC) attacks in Q2, 2019. Compared to Q1, 2019, BEC attacks increased by 269% in Q2.

Business email compromise attacks involve the use of a compromised business email account to conduct attacks on employees within the organization or their customers. The latter are now much more common than CEO fraud attacks, which involve impersonating the CEO and using his/her account to obtain sensitive information such as employees’ tax information, to send fraudulent wire transfer requests, or to make changes to the payroll to have direct deposits redirected to attacker-controlled accounts.

There has been a sharp increase in attacks on vendors, whose accounts are not used internally but on customers. These attacks typically involve sending fake invoices. Customers are researched and information in the compromised email accounts are used to find out when to send invoices and the correct amount to request.

The attacks start with a spear phishing email. When the target responds and clicks the hyperlink in the email, they are directed to a malicious webpage where they are required to enter their email credentials. The credential are captured by the attackers but the sophistication of the phishing emails means it is unlikely that they will be identified as a scam.

The Mimecast’s Email Security Risk Assessment (ESRA) also shows a significant increase spam emails – 28,783,892 spam emails were identified in Q2 – and emails containing malicious attachments -28,808 – and dangerous file types – 28,726.

The findings of the ESRA report echo those of its 2019 State of Email Security Report which revealed 85% of the 1,025 respondents to the survey had experienced an email impersonation (BEC) attack in 2018. 71% of those respondents said the attacks had had a direct impact on the business such as causing financial losses or loss of customers.

One of the take home messages from the report is the lack of protection offered by default Office 365 anti-spam and anti-phishing protections.  While they are better than no protection at all, large numbers of spam and malicious messages are not blocked and pass directly to end users. All businesses that use Office 365 and do not use a third-party anti-spam solution on top of Office 365 are likely to see many malicious messages delivered.

Out of the 109,284,844 emails inspected by Microsoft Office 365 in Q2, 2019, 17,754,506 spam emails, 20,691 dangerous file types, 13,381 malware attachments, and 34,665 impersonation attacks were not identified and were delivered to inboxes.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of