Palo Alto warns of BEC-as-a-service, finds average wire fraud attempted is $567,000 with peak of $6 million

Business email compromise (BEC) continues to cost victims thousands — and sometimes millions — of dollars, according to a new report from Palo Alto Networks’ threat research group Unit 42.

The security team pored through hundreds of BEC cases, finding the average wire fraud attempted was $567,000 and the highest was $6 million. Among the hundreds of BEC cases Unit 42 tackled since the beginning of last year, researchers found that 89 percent of victims failed to turn on multi-factor authentication or follow best practices for its implementation.

BEC is often cited by the FBI as one of the most lucrative cybercrimes, and the law enforcement agency reported last year that it led to $1.87 billion in losses. Victims, according to Palo Alto researchers, typically want to avoid reputational harm and often don’t go public, which has made BEC a relatively silent threat.

Unit 42 said its security consultants spend thousands of hours on BEC investigations, “combing through logs to identify unauthorized activity, determine how unauthorized access occurred and find security gaps that need to be addressed.”

“Attackers targeted hundreds of employees at an insurance company with phishing emails. These emails led to an attempt to get login credentials through spoofed Microsoft 365 email

Read More: