Business Email Compromise scams, or whale phishing, rose 45% in the last three months of 2016, according to new research from Proofpoint.
The cybersecurity company analyzed whale phishing attack attempts across more than 5,000 enterprise customers from July–December 2016, and their research includes data from U.S., Canadian, UK, German, French and Australian organizations.
BEC attacks increased 45% in the latter half of Proofpoint’s study, with two out of three attacks containing spoofed email addresses that fraudulently displayed the same domain name as the targeted organization.
"Seventy-five percent of our customers were hit with at least one attempted BEC attack in the last three months of 2016 — and it only takes one to cause significant damage," states Ryan Kalember, senior vice president of Cybersecurity Strategy for Proofpoint. "Our research shows static policies cannot keep up as attackers are constantly changing their socially engineered messages. Organizations need detection, authentication, visibility, and data loss prevention to ensure they don't fall victim."
Proofpoint’s research does not find any discrepancy between large and small organizations, as companies of all sizes are prone to BEC attacks. Businesses in the manufacturing, retail and technology industries are most likely to be targeted with BEC attacks, likely because criminals are attempting to hide behind complex supply chains and SaaS infrastructure, according to Proofpoint.
While BEC scams still often involve CEO impersonation attempts, Proofpoint found that cybercriminals have begun moving down the employee ladder to target different employee groups, such as the financial or HR departments.
The majority of BEC scams subject lines contained certain phrases that consumers should be on the lookout for, with 70% of the most common BEC subject lines containing the words “urgent,” “payment,” or “request.”
Founded in 2002 and based in Sunnyvale, California, Proofpoint is a cloud-based security and compliance company that provides a range of SaaS products to help brands protect their users from cybersecurity threats across email, social media, and mobile applications.
Proofpoint recently expanded its BEC email protection solution with Email Fraud Defense, an email authentication service, and Digital Risk Defense’s Web Discover, a module that identifies lookalike domains.