BEC Attacks Did not Abate in 2024. What Can You Do in 2025 to Defend Yourself

SlashNext's analysis also covered Business Email Compromise, better known as BEC attacks. This type of incursion has surged, and many other cybersecurity providers reported on them last year, Arctic Wolf. Its study released in May 2024 suggested that BEC attacks are now the primary method cybercriminals use to target businesses. Arctic Wolf's 2024 Trends research of over 1,000 senior IT and cybersecurity decision-makers found that not only did 70 percent of organizations report an attempted BEC attack, but 29 percent reported being a victim.

A $55 Billion Industry
The US Federal Bureau of Information (FBI) announced in September 2024 that BEC attacks are a “$55 billion scam”. The agency based its calculations on law enforcement and filings with financial institutions between October 2013 and December 2023. The total figure covers more than 305,000 domestic and international BEC incidents.

Examples of Business Email Compromise
A BEC attack targets businesses both large and small, as well as individuals through fraudulent emails that appear to come from trusted sources, such as colleagues like an executive assistant - but also attorneys and others involved in financial transactions. BEC attackers use tactics such as fraudulent invoices to trick recipients into making payments to fake accounts, but they are also known to impersonate high-ranking executives or a trusted third-party such as a vendor.
One of the most noteworthy BEC cases the FBI pursued in 2024 was that of a Nigerian man living in the UK. The FBI says 33-year-old Babatunde Francis Ayeni played a prominent role “in a massive cyber fraud conspiracy that victimized over 400 people across the US, resulting in a collective loss of nearly $20 million.” More than 200 victims lost their entire transaction. Ayeni pleaded guilty to conspiracy to commit wire fraud in April of 2024.

Another recent case involved international money laundering. A Pennsylvania man is now serving a nine-year prison sentence for helping launder hundreds of thousands of dollars fraudulently obtained via two front companies. Michael Okorie and his co-conspirators conducted BEC attacks (as well as romance and other types of fraud). The funds collected by the fraudsters were moved from one bank to another and wired to Nigeria or used to purchase cars for overseas shipment.

Also, in early 2024, Europol dismantled a cyber gang involved in a $40 million BEC attack that targeted real estate developer in Paris. Posing as lawyers, the fraudsters convinced the company to transfer a substantial amount of money, resulting in nearly 38 million euros (over $40 million) being sent abroad within days.

How Not to Fall Victim to BEC Fraudsters
There are numerous steps you can take to not become a victim of a BEC scam. Here is what I recommend to our customers.
• Conducting regular staff cybersecurity training and vigilance around the monitoring of unexpected or suspicious behavior can help prevent this increasing problem. If your organization is not already using multifactor authentication (MFA), you need to implement it as soon as possible. If both Change Healthcare and Snowflake had done so they might have avoided the stinging attacks both experienced last year. Those attacks are some of the reasons behind Google Cloud's recent decision to make MFA mandatory by the end of this year.
• To better control email-based attacks you need to implement the right email security tools. Email authentication protocols like Domain-based Message Authentication, Reporting & Conformance (DMARC) is one such method as enabling users to check your domain/organization identity for any kind of spoofing attack.
• In addition to implementing DMARC, go one step further by implementing Verified Mark Certificates (VMC). This will improve the visibility of your brand and logo, instilling significantly more trust into your email recipients. This effectively proves that your emails sent to customers are genuine and that they can be trusted,
• For email encryption, look for a vendor who can offer you Secure/Multipurpose Internet Mail Extensions (S/MIME). Not only can this protocol enable you to sign emails for their authenticity, S/MIME also can encrypt the message to ensure access is limited to authorized individuals. This Public Key Infrastructure (PKI)-based technology uses asymmetric cryptography. When emails are encrypted with a recipient's public key, that email can only be decrypted.
• Other options include Pretty Good Privacy (PGP) which is effective for plain text, emails, files, and directory encryption, though not ideal for large organizations, and open-sourced based GNU Privacy Guard (GPG), a free solution that encrypts messages between two parties without the need to agree on external data such as a password.

Of course, using strong password management is a must, as well as enforcing a standard protocol for confirming financial transactions or sensitive data requests, such as a face-to-face method or phone calls to known numbers. Nothing is a hundred percent, especially with today's sophisticated hackers. However, taking as many precautions as possible and using the right technology will go a long way in minimizing potential compromise of your organization's valuable data.