Business Email Compromise (BEC), more costly than ransomware?
A BEC attack appears to be behind the recent heist at Pepco Group (see here): its Hungarian subsidiary lost about 15,5M EUR in cash.
Typically, BEC attacks are executed by impersonating senior management in email or instant messaging, sending out correspondence to other people within the company, usually those who work in accounting or finance departments, and enticing them to urgently pay an invoice or process a payment.
A few notes:
the cost seems in line with recent high profile ransomware attacks such as Clorox and MGM (see here), shaving about 10-20% of yearly net profits. Pepco's share price seems to be down -10% following the news, suggesting a comparable "materiality" impact.
Ransomware attacks cause long-lasting effects and make it challenging to assess the associated costs, whereas Business Email Compromise (BEC) heists directly and precisely impact the company's financial bottom line.
Yet protection against phishing fraud (such as BEC) is often not prioritized on the same level as anti-malware defenses. It requires continuous security awareness trainings (SAT), supported by software automation and phishing simulation attacks.
It remains to be seen if the attack against Pepco was based only on spoofed communication from outside, or the attacker had a foothold inside the organization (for ex. access to an internal employee mailbox from which to send emails). If so, the implications are much more serious.