The rapid rise in email fraud has cost organisations globally billions of dollars, and company boards are noticing. The most recent FBI statistic cites over $26.2B in losses and over 166K incidents worldwide due to “business email compromise”. To be clear, what they’re actually citing is what the industry knows as both BEC and EAC.
It’s important to clarify the difference between BEC and EAC:
- BEC (Business Email Compromise) can be described as identity deception – when attackers pretend to be you to trick someone into wiring money or sending information. There is no technical compromise or malicious payload. Common tools used in identity deception are domain spoofing, display name spoofing, and lookalike domains.
- EAC (Email Account Compromise) is where there is a technical compromise – when attackers actually become you because they have successfully taken over your account. Credential phishing is just one way that accounts are compromised, but attackers are not just looking to steal credentials – the real goal is to establish persistence and move laterally in the organization. Once they’re in your account, they can do all kinds of damage. The real concern is that EAC is a problem that impacts far more than just email.
10 minute recording