Business Email Compromise (BEC): What $1.7 Billion in Losses Means for Email Security

4 min readMar 30, 2020

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By Doug Jones

Cybercriminal organizations keep raking in big profits from BEC scams, phishing attacks, and other advanced email threats that continue to prove successful, according to the FBI’s new 2019 Internet Crimes Report.

Issued this past week, the annual report from the bureau’s Crime Complaint Center (IC3) finds US businesses and individuals lost $3.5 billion to cybercriminals in a record 467,361 scams last year. Nearly 1,300 attacks were reported every day of the year, an increase of more than 100,000 from 2018.

But that’s not even the most alarming aspect of this year’s report. While new forms of attack pop up all the time, the FBI says that it’s the same set of crimes that keep generating the most revenues for perpetrators.

Various forms of phishing were once again cited as the most prevalent forms of attack this past year, with business email compromise (BEC) accounting for at least $1.7 billion — or more than half — of all losses. Overall, these totals have more than doubled since 2015, the first year the IC3 began reporting on these crimes.

Just think about that for a moment. Despite billions spent annually on cybersecurity, businesses continue to lose more money, and email continues to be the primary vector for attack. The fact is, there’s no one solution to this vexing problem. Instead, it takes a layered approach that addresses the issue from every angle.

DMARC: Protecting Your Customers and Partners

One glaringly obvious issue companies need to address is Domain-based Message Authentication, Reporting, and Conformance (DMARC). This standard email authentication protocol is essential to preventing cybercriminals from squatting on corporate domains and leveraging them in phishing attacks.

Data captured in our new Q1 2020 Email Fraud & Identity Deception Trends report shows that DMARC adoption has increased 83% over the past year, to 11,628,125 protected domains. But this still represents a tiny fraction of the total universe of domains worldwide.

Today, most companies — including 85% of the Fortune 500 — remain defenseless against cybercriminals seeking to pirate their domains to launch phishing-based impersonation scams targeting their customers, investors, supply chain partners, and the general public.

To be fair, deployment across thousands of different domains, divisions, and third-party email vendors can be daunting for large companies. But Forrester Research has found that organizations using automated DMARC implementation tools such as Agari Brand Protection™ (ABP) to take control of their email ecosystems can see phishing-based brand impersonations rapidly drop to near zero.

Yet as much as companies need to protect their own domains, they also need to protect themselves from the “unwashed masses” of unauthenticated emails coming their way each day.

BEC: Defending Against Inbound Phishing Attacks

Despite seeing impressive gains in covered domains, the number of advanced email threats flowing from unprotected, spoofed, and lookalike domains is still staggering. This includes more than 1 trillion new phishing and BEC attacks targeting corporate employees each year.

In recent threat dossiers on Scattered Canary, Silent Starling, and Exaggerated Lion, we’ve uncovered how cybercrime rings now operate with the same sophistication and organizational efficiencies as many modern enterprises.

But as aggravating as it may be, today’s most successful email attacks are simple, plain-text messages that use sophisticated social engineering tactics to dupe corporate employees into surrendering sensitive information, revealing login credentials, or paying for fraudulent expenses.

Agari Phishing Defense™ (APD) addresses this issue head on, with industry-leading protection against BEC, phishing, and even account takeover (ATO)-based attacks that evade traditional security controls.

But over the past 24 months, we’ve seen significant evolution in attack methods, including “time-bombed” URLs that weaponize after delivery. Through active engagement with threat actors, the Agari Cyber Intelligence Division continues to discover new threats that evade detection.

In this game of cat and mouse, we identify new threats, adjust advanced machine learning models to catch them, and through Continuous Detection and Response technology remove them from employee inboxes. But, clearly the job of security doesn’t stop at detection. It needs to encompass resilience, and this requires a more expansive approach to email security.

Not only do we need to protect the inbox, we also need to eliminate the opportunity for an employee to make a bad decision if and when the inbox gets breached. That’s why Agari has now teamed up with KnowBe4, the leader in phishing simulation and training.

A Multi-layered Approach to a Multifaceted Threat

Phishing simulation and training adds a defensive layer focused on teaching employees what a phishing email looks like, and gives them practice at identifying new attacks to improve the likelihood they’ll avoid email scams while reducing the number of false positives reported to the Security Operations Center (SOC).

By infusing the simulation and training process with the scenarios surfaced by actively engaging attackers, the combined Agari-KnowBe4 solution provides a one-of-a-kind layered phishing defense that keeps companies one step ahead of attackers, even if their organization has never seen the actual attack method. By combining our best-of-breed solutions, we improve the efficacy of each solution acting on its own. Here’s why.

It’s this continuous feedback that makes our technology partnership with KnowBe4 and our future integration with KnowBe4’s Kevin Mitnik Security Awareness Training so valuable. When a new Phish is detected, Agari customers will be able to feed that example into their phishing training and simulation program.

In fact, this kind of layered approach may provide the key to reversing the trends captured in the new IC3 report and in our own Q1 2020 research report. In the end, it’s not just about keeping up with identity deception attacks. It’s about proactively staying one step ahead.

To learn more about the Agari technology partnership with KnowBe4, read the press release.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.