The global financial services industry has seen a sharp 137% increase in Vendor Email Compromise (VEC) attacks over the past year, according to data from Abnormal Security. The majority of these threats are associated with socially engineered email attacks, with an average of 200 advanced attacks detected per 1000 mailboxes each week. Notably, peak attack periods occurred in late January, late September, and mid-December of the previous year. VEC attacks involve threat actors impersonating business providers, such as suppliers or vendors, to manipulate financial transfers, making them challenging to detect due to their apparent legitimacy.
In the detailed report, Abnormal Security highlighted instances of VEC attacks targeting significant amounts, including a case involving a staggering $36 million. The attacks often involve manipulating financial transactions by changing banking details through seemingly harmless emails. Additionally, the financial services industry experienced a 71% increase in Business Email Compromise (BEC) attacks in 2023. BEC attacks involve cybercriminals impersonating executives or employees to orchestrate payroll or banking-related fraud. These attacks, characterized by their social engineering tactics, easily bypass traditional security tools, and their median open rate for text-based attacks reached nearly 28%, emphasizing their effectiveness.
Despite the absence of malicious links or attachments, BEC attacks remain successful due to their focus on human fallibility, combining authenticity and subtle changes to evade detection. Abnormal Security stressed the sophistication of these attacks, presenting a significant challenge to both legacy email security systems and human vigilance. The report concludes that organizations in the financial services sector should prepare for an increasing frequency of email-based attacks targeting human vulnerabilities. To counter these threats, it suggests adopting sophisticated cloud email security solutions to enhance protection against evolving and sophisticated cyber threats.
Reference:
