According to information provided by the Vipre Security Group, there’s a spike in business email compromise attacks in the previous year and cybercriminals are using AI tools more and more to create their malicious emails.
Business email compromise (BEC) is a type of social engineering using spoofed or breached email accounts. Hackers use compromised email accounts to commit scams frequently compromised via phishing. These attacks may get sensitive data, but most often the goal is to trick people who are responsible for wire transfers into transferring funds to a fraudulent attacker-controlled account. For instance, a vendor’s email account is breached and used for sending communications to clients and asking them to alter bank account details for a pending payment.
BEC is one of the most expensive kinds of cybercrime. Based on the Federal Bureau of Investigation (FBI) Internet Crime Report, BEC scams in 2023 resulted in $2.9 billion in losses. That year, the Internet Crime Complaint Center (IC3) received 21,489 complaints related to BEC attacks. Despite the growth in ransomware attacks, BEC attack losses were higher by 48 times. From October 2013 to December 2022, there were over $50 billion in losses due to BEC scams. INTERPOL lately reported that it was able to recover about $41 million of stolen money because of a BEC attack from a commodity company based in Singapore.
As per Vipre statistics, there were about 1.8 billion emails processed in Quarter 2 of 2024, 226.45 million spam emails were identified, and 49% of those emails employed BEC lures, higher by 20% from Quarter 2 of 2023. Vipre obtained some BEC emails delivered to its clients and reviewed them for content created by AI tools such as ZeroGPT, Sapling, Quillbot, GPTZero, and Scribbr. It determined that 40% of those emails were made by AI tools.
Hackers use AI tools to create convincing phishing emails to breach the accounts employed in BEC attacks and to make the BEC emails themselves using the authorized account holder’s style. Those emails are most often mailed to targeted individuals — CEOs and executives (87%), then to HR and IT specialists. These statistics indicate why it is important that the C-Suite engages in HIPAA security awareness training.
There were also substantial rises in other kinds of email attacks. Malicious links included in emails increased by 74% year over year. About 17 million malicious links were identified, and two times the number of elusive malicious email attachments were identified in Quarter 2 of 2024 compared to Quarter 2 of 2023. Cybercriminals are using AI more and more for their phishing and BEC campaigns. It is more difficult to determine and prevent these threats, particularly for consumers as these emails frequently do not have the usual red flags like spelling mistakes and grammatical errors. The way to prevent these threats is to employ AI-based email security tools and deal with AI using AI.