Proofpoint Study Shows Impact of Email Fraud on Businesses

Proofpoint has published the findings of a recent study investigating the impact of email fraud on businesses. The study reveals the extent to which businesses are affected by email fraud, the typical impact of email fraud on businesses, which individuals are targeted, and the steps that are being taken to reduce risk.

There has been an increase in email fraud in recent years, with last year seeing a further surge in attacks. The report reveals the percentage of companies targeted with at least one email fraud attack rose to 88.8% in Q4, 2017.

While there are many techniques used in attacks, one of the most common is to use an email account of an executive or business partner to enter into a conversation with an individual in the targeted company that leads to a request to make a wire transfer or to divulge sensitive information. The latter is especially common during tax season when requests are made to send the W-2 Forms of employees who have worked in the previous tax year. The credentials on the form are then used to file fraudulent tax returns in the names of employees.

These attacks are often referred to as Business Email Compromise (BEC) scams, and they can be extremely effective. Last month, Italian Serie A football club Lazio was fooled by such a scam and transferred €2 million to the attackers account. In 2017, a man from Lithuania was accused of stealing more than $100 million from Google and Facebook by spoofing a vendor in the supply chain.

The Proofpoint study was conducted on companies in the UK, USA, Australia, France, and Germany. France had the highest percentage of companies that had been attacked at least once, with the USA having the highest percentage of firms that had experienced multiple email fraud attempts. In the US. 84% of companies had experienced one or more email fraud attempts in the past 12 months.

The impact of email fraud on businesses can take some time to become clear, but in most cases, it is severe and results in considerable losses. Those losses are not just direct financial losses such as a wire transfer to the bank account of a scammer. Data loss can prove costly and staff are often terminated following an email fraud event.

However, the biggest losses often come from business disruption. 55.7% of survey respondents said business disruption was the most common effect of an email fraud event.

A third of attacks involved a wire transfer and around half involved data loss. In the US, 40% of cases resulted in responsible personnel being fired.

The most common departments targeted by email fraud across all countries was the finance team (55%), followed by accounts payable (43%), the C-Suite (37%), and the general workforce (33%).

The severity of the threat and repercussions following an attack have seen email fraud become a major concern for the board and executive teams. 91% of surveyed U.S firms considered email fraud to be a board-level issue.

Even though the impact of email fraud on businesses is often severe and email fraud attacks have soared in recent years, many firms have done little to deal with the threat. Survey-wide, less than half of companies had deployed technology to protect against email fraud.

The most common tactics used to deal with the threat were security awareness training (62%), email authentication (46%), and cyber insurance (23%). 62% of respondents said they do not have controls in place to stop wire transfer fraud, 56% said they have no user-access levels in place for systems used to process personal data, and 55% have not implemented end-to-end encryption for email.

The main problems that are preventing enhanced defenses against email fraud and the adoption of technologies, policies and procedures to reduce the impact of email fraud on businesses are:

  • A lack of technical understanding – 41%
  • Budget restrictions – 36%
  • The technical complexity of the email system – 32%
  • Lack of understanding of the issue – 32%
  • Lack of executive sponsorship for the project –  30%

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news