Getty Images/iStockphoto

Secureworks IR team saw BEC attacks double in 2022

Vendor and incident response firm Secureworks referred to business email compromise, or BEC attacks, as 'the largest monetary threat to organizations.'

Security vendor Secureworks responded to more than twice the number of business email compromise attacks in 2022 over 2021, according to a report published Thursday.

The vendor's report, "Learning from Incident Response: 2022 Year in Review," compiled trends and insights observed in its incident response (IR) investigations over the past year. Secureworks said the data is based on more than 500 incidents that its Counter Threat Unit engaged with.

Business email compromise (BEC) attacks more than doubled from 2021 to 2022, Secureworks said, referring to it in the report as "the largest monetary threat to organizations." Because BEC payouts are increasing while the attacks themselves remain low complexity, the attack type has become increasingly attractive to threat groups with "little to no technical capabilities," according to the report.

Phishing was overwhelmingly the most common attack vector, used in 85% of Secureworks' observed BEC incidents last year.

"In most cases, the threat actors sent phishing emails to thousands of recipients that sometimes spanned multiple organizations," the report read.

Additionally, Secureworks in 2022 observed BEC actors using various techniques to bypass multifactor authentication against victims, including MFA fatigue tactics.

"BEC actors have successfully bypassed MFA by sending authentication requests that the victim approves without verifying," the report read. "In MFA fatigue attacks, which may be increasing in popularity, a threat actor repeatedly attempts to log in to the same account using stolen credentials. This behavior sends multiple MFA push requests to the account owner's mobile device, and the influx can lead to the account owner approving the authentication request."

Secureworks recommended organizations use phishing-resistant MFA, such as physical security tokens.

The report noted that according to the FBI's Internet Crime Complaint Center (IC3), global losses from BEC attacks increased 65% between July 2019 and December 2021. In its 2022 report released last week, IC3 said it received 21,832 BEC complaints last year with adjusted losses over $2.7 billion, up from $2.4 billion the previous year.

These are the most common initial access vectors observed by Secureworks in its 2022 incident response engagements.
Phishing and internet-facing vulnerabilities were the most common initial access vectors observed by Secureworks in its 2022 incident response engagements.

Ransomware incidents down

Alongside the BEC spike, Secureworks participated in 57% fewer IR engagements involving ransomware -- a figure that complements a supposed decline in ransomware other vendors observed last year.

The report offered multiple reasons for the drop, such as an increase in attention from governments and law enforcement agencies on ransomware actors, threat groups possibly targeting smaller organizations that wouldn't engage an IR firm, and defenders getting better at stopping attacks.

Asked whether the rise in BEC attacks and the ransomware drop were related, Mike McLellan, director of intelligence for the Secureworks Counter Threat Unit, told TechTarget Editorial he didn't necessarily think that was the case. Both, he said, "continue to pose a major threat to organizations globally."

"For a long time now BEC has flown under the radar when compared to headline-grabbing ransomware attacks, but it continues to have a huge financial impact -- $10.2 billion, according to data recently released by the FBI," he said. "Perhaps the increased number of BEC incidents we're seeing reflects organizations realizing these are serious incidents that need investigating to improve their security controls going forward."

McLellan also said he didn't think ransomware was going away anytime soon. But he felt established ransomware gangs have learned that attacking critical infrastructure or major enterprises is "bad for business."

"I think ransomware groups now prefer to exploit their opportunistic access to smaller organizations, who perhaps don't have the resources to bring in third party incident response to assist them," he said. "It remains to be seen whether the big brand attacks seen so far this year -- Royal Mail in the U.K., U.S. Marshals -- represent a shift in that approach or instead reflect that expanded ransomware-as-a-service operations are bound to have one or two rogue affiliates who are less circumspect about going after big brands."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Data security and privacy