Why aren't workers reporting malicious emails to IT?
Despite the increase of business email compromise (BEC) attacks over the past year, a new report has found that a "frighteningly low" number of employees are reporting such encounters.
Findings from security platform Abnormal Security revealed that there has been an 81% increase in the BEC attacks between the first and the second half of 2022.
To make matters worse, employees are opening nearly 28% of received attacks between July and December 2022, with an average of 15% of these emails responded to.
Are they reporting it? The findings revealed that only 2.1% of all known BEC attacks are reported to their employers, with a massive 98% left unreported.
"On top of frighteningly low reporting rates for attacks, the majority of messages reported to security teams aren't even malicious," the report said. "On average, 84% of employee reports to phishing mailboxes are either safe emails or graymail."
Why not report?
According to the report, employees aren't reporting malicious emails because of various reasons, including believing that someone else will handle it and the fear that they could be reporting emails that aren't malicious attacks.
Some employees also believe that as long as they don't engage with the attacker, they have fulfilled their obligation to the organisation, according to the report.
"But security professionals know that opting to just delete the email without reporting it can be almost as damaging since it eliminates the opportunity for the security team to warn other employees about the attack," the report said.
The findings come as company executives believe that that their next cybersecurity breach will likely because of an internal staff error, according to a survey by EisnerAmper's Outsourced IT Services.
Employees are more likely to become victims of HR-related phishing emails, a new report has found, which underscored how business-related frauds are gaining momentum.
What are BECs?
A business email compromise (BEC) attack is a type of cybercrime where the scammer uses email to "trick someone into sending money or divulging confidential company info," according to Microsoft.
However, unlike other forms of email attacks, BEC attacks are "typically text-based," said Abnormal Security. They don't contain malicious URLs or dangerous attachments.
"The same techniques that have been used for thousands of years to con people are the same tactics that are used today for email attacks. The only difference is that criminals are using a computer to do it," said Crane Hassold, director of threat intelligence at Abnormal Security, in a statement.
The average cost of a BEC attack in 2021 around $120,000, according to Abnormal Security, while 35% of cybercrime losses stem from BEC.
Investing further in email security could also help, according to Abnormal Security, which can ensure that BEC attacks never reach employees in the first place.
"While security awareness training will help reduce the risk of employees engaging with a threat actor, it's even better to minimize the number of attacks they receive in the first place," the report said. "Any time an employee has to assess whether an email is malicious is an opportunity for them to make a mistake — and for an attacker to capitalize."