Your Email Account is the Primary Gateway for Cyber Attackers

Many small and midsize businesses (SMBs) believe they’re flying under the radar of cyber criminals. After all, why would hackers bother with a small operation when they can go after large corporations with deep pockets?

Unfortunately, the inverse is true. SMBs are prime targets for cyber attacks precisely because they assume they’re too small to be at risk. One of the most common and damaging attacks that smaller organizations experience is known as business email compromise (BEC).

BEC attacks accounted for 30% of all Coalition cyber insurance claims in 2024. What’s more, these attacks can also escalate into additional cyber incidents, drastically increasing the overall financial impact. Below, we’ll explain how BEC attacks happen, how they can escalate into larger attacks, and how to protect your business from these pervasive cyber threats.

Understanding business email compromise

BEC is an event in which cyber criminals gain access to an organization’s email account to conduct malicious activity. Attackers often leverage email access to find sensitive data, including login credentials, financials, and other private information. Once equipped with sensitive information, they can steal money, extract data for extortion, or compromise additional technologies.

In 2024, the average cost of a BEC attack increased 23% for an average loss of $35,000.

In 2024, the average cost of a BEC attack increased 23% year-over-year to an average loss of $35,000 — and this cost can significantly increase depending on the amount of damage an attacker inflicts. Let’s walk through a common BEC scenario:

Step 1: A simple phishing email

Steven (the CEO) receives a Microsoft 365 security alert in his inbox:

“Unusual sign-in detected — verify your credentials immediately.”

The email appears credible and insists the matter is urgent, prompting Steven to trust its legitimacy and also act quickly. The email also includes a link to a spoofed login page that resembles that of Microsoft.

Step 2: Credential theft in one click

Busy and traveling, Steven clicks the link and enters email and password into the convincing fake login page. Just like that, attackers immediately capture Steven’s login credentials and now have full access to his email account.

Step 3: Account access and infiltration

Next, attackers log in to Steven’s email account using the stolen credentials and set up an email forwarding rule to an external address. From now on, attackers will be able to track all inbound and outbound activity from Steven’s account, while hiding their own activities.

Step 4: Reconnaissance and surveillance

With visibility into Steven’s account, attackers can monitor communications, make note of financial processes, and learn how he communicates with others. All they have to do now is wait patiently for the perfect moment to strike.

Step 5: Attack execution

Here’s where BEC attacks can escalate. Armed with the right information and access, attackers can inflict damage in various ways:

• An urgent email from Steven to the finance department about a late payment to an outside vendor can prompt other employees to wire payments to bank accounts controlled by the attackers.

• An authoritative request for all employees’ W-2 forms for an upcoming audit can trick the human resources department into sharing sensitive personal information.

• A deep dive into Steven’s inbox can unearth information about other technologies used by the business, pointing attackers toward digital assets that can be compromised and leveraged in a ransomware attack.

Attackers often gravitate toward the tactics that require minimal effort and deliver maximum return. In many cases, this means pursuing fraudulent financial transactions.

How attack escalation can increase financial losses

The disruption and financial impact of a BEC attack can vary widely from case to case. The amount of time attackers remain inside a business’ email account can play a role in the ultimate cost of the incident. Essentially, the longer they’re inside, the more opportunity they have to wreak havoc.

In a typical BEC attack, a business incurs costs for incident responders to conduct a full forensic investigation of the incident, aiming to determine both the initial source of the attack and the extent of the damage. But if the attacker uses a compromised inbox to prompt illegitimate payments — known as funds transfer fraud (FTF) — the cost of an attack can increase significantly.

Among all BEC events in 2024, 29% escalated into FTF events. In these cases, the average loss was $106,000, nearly three times the amount of a standalone BEC event.

In 2024, 29% of all BEC events escalated into FTF with an average loss of $106,000.

The most costly and disruptive of all cyber events, however, is ransomware. In 2024, the average ransomware attack was $292,000, substantially more than any other cyber event type. Ransom payments are, far and away, the biggest driver of ransomware losses, but they aren’t the only factor in the total amount. Common costs include:

• $1.1 million average ransom demand: This is how much attackers ask for prior to negotiation.

• $102,000 average business interruption loss: This is how much businesses lose due to inability to operate during a ransomware attack.

• $58,000 average forensic vendor cost: This is how much businesses pay to investigate after a ransomware attack.

• $18,000 average digital asset restoration cost: This is how much businesses pay to recover data and repair post-ransomware system damage.

So why is this relevant to BEC attacks? Email accounts were among the top 3 entry points across all ransomware attacks in 2024. What’s more, all of these attacks exploited business’ employees: tricking them into installing malware, clicking a malicious link, or revealing account credentials.

In 2024, email accounts were among the top 3 entry points across all ransomware attacks with an average loss of $292,000.

Employee education is the best defense against BEC attacks

The truth is most cyber attacks (not just ransomware) start with human error. In fact, 76% of all cyber attacks start as phishing attempts, which means even one employee mistake can put your entire business at risk.

Knowing that email accounts serve as a gateway for cyber attackers and employee mistakes are a common aspect in most attacks, the best way to protect your business against all of these threats is to prevent them in the first place.

Security awareness training can empower your employees to identify phishing attempts and help your business avoid costly cyber attacks. Employee training programs are growing in both popularity and effectiveness, now considered a must-have for any modern business:

• 98% of businesses utilize security awareness training programs

• 80% of businesses say employee education has reduced phishing susceptibility

Coalition Security Awareness Training isn’t like other training solutions; it educates businesses about the newest and most-pressing risks that Coalition sees on a daily basis. With unique access to cyber insurance claims and incident response data from 90,000+ policyholders, we prioritize and recommend the lessons that make the biggest difference to your organization’s cyber risk.

Best of all, Coalition Security Awareness Training is available natively inside Coalition Control®, our unified cyber risk management platform. Coalition policyholders can start a free 15-day trial directly inside the platform.*

COALITION SECURITY AWARENESS TRAINING

Level Up Your Security Culture & Compliance

Start a free trial in Control today >

*Access training for 15-days for FREE. Customers who subscribe to training for a 12-month period will be billed USD $12 within the first 30 days from enrollment. Customers can opt
to non-renew before the end of the 12-month period. NO REFUNDS PERMITTED. Limitations apply. See Terms for more details. Training offered by Coalition Incident Response, Inc., or in conjunction with its affiliates, operating in the following jurisdictions: Australia: Coalition Incident Response Pty Ltd.; Canada: Coalition Incident Response Canada, Inc., and UK: Coalition Incident Response UK, Ltd.

Security products are provided by Coalition Incident Response, Inc., d/b/a Coalition Security , a wholly owned affiliate of Coalition, Inc. with a principal place of business and registered address of 19 West 44th St., 15th Floor, Ste. 1507, New York, NY 10036. Coalition Security does not provide insurance products. The purchase of a Coalition insurance policy is not required to purchase any Coalition Security product. 

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only.