BEC

$50 billion. That’s what business email compromise (BEC) attacks have stolen since the FBI Internet Crime Complaint Center (IC3) started tracking them. The average loss per incident is $125,000 according to FBI IC3 data, though some organizations lose millions in a single attack.

Here’s what makes BEC particularly frustrating to defend against: there’s no malware to scan, no suspicious attachment to sandbox, no sketchy link for your email gateway to flag. These attacks work by impersonating someone the target trusts, asking for something that sounds reasonable, and relying on normal business processes to deliver the money.

Your technical controls won’t catch them. Your employees have to.

According to Deloitte research, 91% of cyber attacks still start with an email.

That number hasn’t moved much in years. We’ve deployed spam filters, secure email gateways, AI-powered anomaly detection, and a dozen other technical controls. Attackers don’t care. When one tactic gets blocked, they try another. When detection catches a pattern, they change the pattern.

The technology arms race is unwinnable on its own. Trained employees add a different kind of defense, one that applies judgment and recognizes context. A well-crafted spear phishing email might slide past every filter you own, but an employee who knows to verify unexpected requests kills the attack anyway.

When attackers want maximum impact, they don’t send mass emails hoping someone clicks. They research a CEO, CFO, or board member for weeks. They craft a perfect message. They wait for the right moment to strike.

This is whaling: spear phishing that targets executives. It accounts for some of the largest individual fraud losses in cybersecurity history.