ThreatList: Business Email Compromises Way Up for Q2

Attacks targeting business email accounts continued to climb in the second quarter, according to data released today by specialist insurer Beazley. Hardest hit were organizations using Office 365, the popular cloud-based productivity solution.

The July edition of Beazley Breach Insights shows that overall, the top two causes of data breaches reported to the Beazley Breach Response (BBR) Services team during the second quarter of 2018 were hacks or malware attacks (39 percent, including the email compromise category); followed by accidental disclosure (22 percent).

Hacking/malware was down three percentage points from Q1, despite an increase in the number of email compromises. This is due to a slight decrease in the number of reported ransomware incidents in Q2, the report found.

Interestingly, there were notable variances depending on the vertical in question:

For colleges and universities, hacking/malware incidents were down 4 percentage points from the first quarter, to 43 percent of the total number of incidents for higher education institutions. While the number of reported hacking or malware incidents did decrease slightly, this shift has more to do with the increase in other categories, such as insider threats and physical loss. 

In banking, 49 percent of all data breach incidents reported to BBR Services in the quarter were caused by hacking or malware, down from 55 percent recorded in the previous quarter. Similar to higher education, financial services entities reported an increase in insider incidents, which accounts for the shift in percentages, Beazley said.Healthcare

Accidental disclosure like leaving patient information in unsecured cloud storage buckets (38 percent) and hacking/malware (26 percent) endured as the most frequent causes of data breaches in the healthcare sector in Q2 2018, at a combined 64 percent of the total. The number of accidental disclosure incidents increased from 29 percent in Q1 to 38 percent in Q2 because of an additional 24 reported incidents.

Percentages remained largely unchanged for data breaches reported by professional services firms to BBR Services between Q1 and Q2 2018. The main change was a decrease in reported accidental disclosure incidents in Q2, Beazely said.

Business Email Compromises on the Rise

Falling under the hacking category, business email compromises accounted for 23 percent of incidents in the second quarter, according to the report.

These types of attacks offer bang for the buck for the hacker; For one, the compromise of a single account gives the attacker a platform from which to spear-phish within and outside the organization, with the legitimacy conferred by using an internal email address.

In addition to that, attackers can leverage compromised accounts to request fraudulent wire transfers, redirect an employee’s paycheck or steal sensitive information within the inbox. More sophisticated attackers may exploit PowerShell to log in to Office 365 and do more extensive reconnaissance. And, if they are able to compromise credentials for a user with the right administrative privileges, they may be able to search every single inbox for the entire organization.

The report also found that, for larger scale email compromises, the total cost of legal, forensics, data mining, manual review, notification, call center and credit monitoring can exceed $2 million. And even for the smaller scale email compromises, the costs can easily exceed $100,000.

That’s because in order for the target company to understand the full impact and whether personally identifiable information (PII) or protected health information (PHI) is at risk, they often require programmatic and manual searches of years’ worth of emails for sensitive information.

“Business email compromise attacks are among the more expensive data breaches we see,” said Katherine Keefe, head of BBR Services, in a media statement.

The good news is that attacks of this kind are also preventable. Two-factor authentication can help, as can employee training. Disabling the ability for third-party applications to access Office 365 can also reduce the likelihood of an attacker using PowerShell, a task automation and configuration management system, for reconnaissance.

All images courtesy of Beazley.