Your Email Account is the Primary Gateway for Cyber Attackers
Many small and midsize businesses (SMBs) believe they’re flying under the radar of cyber criminals. After all, why would hackers bother with a small operation when they can go after large corporations with deep pockets?
Unfortunately, the inverse is true. SMBs are prime targets for cyber attacks precisely because they assume they’re too small to be at risk. One of the most common and damaging attacks that smaller organizations experience is known as business email compromise (BEC).
BEC attacks accounted for 30% of all Coalition cyber insurance claims in 2024. What’s more, these attacks can also escalate into additional cyber incidents, drastically increasing the overall financial impact. Below, we’ll explain how BEC attacks happen, how they can escalate into larger attacks, and how to protect your business from these pervasive cyber threats.
Understanding business email compromise
BEC is an event in which cyber criminals gain access to an organization’s email account to conduct malicious activity. Attackers often leverage email access to find sensitive data, including login credentials, financials, and other private information. Once equipped with sensitive information, they can steal money, extract data for extortion, or compromise additional technologies.
In 2024, the average cost of a BEC attack increased 23% for an average loss of $35,000.
In 2024, the average cost of a BEC attack increased 23% year-over-year to an average loss of $35,000 — and this cost can significantly increase depending on the amount of damage an attacker inflicts. Let’s walk through a common BEC scenario:
Step 1: A simple phishing email
Steven (the CEO) receives a Microsoft 365 security alert in his inbox:
“Unusual sign-in detected — verify your credentials immediately.”
The email appears credible and insists the matter is urgent, prompting Steven to trust its legitimacy and also act quickly. The email also includes a link to a spoofed login page that resembles that of Microsoft.
Step 2: Credential theft in one click
Busy and traveling, Steven clicks the link and enters email and password into the convincing fake login page. Just like that, attackers immediately capture Steven’s login credentials and now have full access to his email account.
Step 3: Account access and infiltration
Next, attackers log in to Steven’s email account using the stolen credentials and set up an email forwarding rule to an external address. From now on, attackers will be able to track all inbound and outbound activity from Steven’s account, while hiding their own activities.
Step 4: Reconnaissance and surveillance
With visibility into Steven’s account, attackers can monitor communications, make note of financial processes, and learn how he communicates with others. All they have to do now is wait patiently for the perfect moment to strike.
Step 5: Attack execution
Here’s where BEC attacks can escalate. Armed with the right information and access, attackers can inflict damage in various ways:
An urgent email from Steven to the finance department about a late payment to an outside vendor can prompt other employees to wire payments to bank accounts controlled by the attackers.
An authoritative request for all employees’ W-2 forms for an upcoming audit can trick the human resources department into sharing sensitive personal information.
A deep dive into Steven’s inbox can unearth information about other technologies used by the business, pointing attackers toward digital assets that can be compromised and leveraged in a ransomware attack.
Attackers often gravitate toward the tactics that require minimal effort and deliver maximum return. In many cases, this means pursuing fraudulent financial transactions.
How attack escalation can increase financial losses
The disruption and financial impact of a BEC attack can vary widely from case to case. The amount of time attackers remain inside a business’ email account can play a role in the ultimate cost of the incident. Essentially, the longer they’re inside, the more opportunity they have to wreak havoc.
In a typical BEC attack, a business incurs costs for incident responders to conduct a full forensic investigation of the incident, aiming to determine both the initial source of the attack and the extent of the damage. But if the attacker uses a compromised inbox to prompt illegitimate payments — known as funds transfer fraud (FTF) — the cost of an attack can increase significantly.
Among all BEC events in 2024, 29% escalated into FTF events. In these cases, the average loss was $106,000, nearly three times the amount of a standalone BEC event.
In 2024, 29% of all BEC events escalated into FTF with an average loss of $106,000.
The most costly and disruptive of all cyber events, however, is ransomware. In 2024, the average ransomware attack was $292,000, substantially more than any other cyber event type. Ransom payments are, far and away, the biggest driver of ransomware losses, but they aren’t the only factor in the total amount. Common costs include:
$1.1 million average ransom demand: This is how much attackers ask for prior to negotiation.
$102,000 average business interruption loss: This is how much businesses lose due to inability to operate during a ransomware attack.
$58,000 average forensic vendor cost: This is how much businesses pay to investigate after a ransomware attack.
$18,000 average digital asset restoration cost: This is how much businesses pay to recover data and repair post-ransomware system damage.
So why is this relevant to BEC attacks? Email accounts were among the top 3 entry points across all ransomware attacks in 2024. What’s more, all of these attacks exploited business’ employees: tricking them into installing malware, clicking a malicious link, or revealing account credentials.
In 2024, email accounts were among the top 3 entry points across all ransomware attacks with an average loss of $292,000.
Employee education is the best defense against BEC attacks
The truth is most cyber attacks (not just ransomware) start with human error. In fact, 76% of all cyber attacks start as phishing attempts, which means even one employee mistake can put your entire business at risk.
Knowing that email accounts serve as a gateway for cyber attackers and employee mistakes are a common aspect in most attacks, the best way to protect your business against all of these threats is to prevent them in the first place.
Security awareness training can empower your employees to identify phishing attempts and help your business avoid costly cyber attacks. Employee training programs are growing in both popularity and effectiveness, now considered a must-have for any modern business:
98% of businesses utilize security awareness training programs
80% of businesses say employee education has reduced phishing susceptibility
Coalition Security Awareness Training isn’t like other training solutions; it educates businesses about the newest and most-pressing risks that Coalition sees on a daily basis. With unique access to cyber insurance claims and incident response data from 90,000+ policyholders, we prioritize and recommend the lessons that make the biggest difference to your organization’s cyber risk.
Best of all, Coalition Security Awareness Training is available natively inside Coalition Control®, our unified cyber risk management platform. Coalition policyholders can start a free 15-day trial directly inside the platform.*
COALITION SECURITY AWARENESS TRAINING
Level Up Your Security Culture & Compliance
Start a free trial in Control today >
