European organizations experienced a greater volume and frequency of BEC attacks over the last year, as compared to organizations in the United States, according to Abnormal Security.
BEC attacks volume and frequency
The data is based on an analysis of email attack trends between June 2022 and May 2023. This included an analysis of traditional BEC attacks like executive impersonation, vendor-focused invoice, and payment fraud, as well as credential phishing, malware, and extortion.
According to the data, the total number of email attacks steadily increased in both the United States and Europe over the course of the year. However, email attacks in Europe increased at a slightly faster rate.
While total attacks in the United States grew by 5x between June 2022 and May 2023, Europe saw total attacks increase by 7x during the same period—to an average of 2,842 attacks per 1,000 mailboxes in May.
When evaluating BEC attacks specifically, the disparity was even greater. Between June 2022 and May 2023, BEC attacks in the United States increased by just over 2x. Meanwhile, in Europe, there was a 10x increase in BEC attacks, from an average of one attack to an average of 10 attacks per 1,000 mailboxes.
The data also tracked the likelihood of a company receiving a business email compromise or vendor email compromise (VEC) attack throughout the year. Similarly, both the United States and Europe saw these risks increase throughout the year.
August attack surge
However, while in the United States, the trajectory of these increases was fairly steady, in Europe, the data showed a spike in the likelihood of receiving a BEC or VEC attack in August. One reason for this sudden increase may be due to a cultural difference between Europe and the United States when it comes to summer holidays.
“August is when most Europeans take their annual holiday, and it’s not uncommon for employee leave to be highly concentrated around this time, especially when compared to the United States, where peoples’ vacations tend to be more evenly spread throughout the summer months,” said Chris Martin, European Director at Abnormal. “Attackers can expect that many European employees will be away from their computers or distracted around this time—a perfect opportunity to target victims who are more likely to mistakenly fall for a social engineering attack.”
Martin continued, “Despite various nuances in the BEC attack trends across the United States and Europe, the data shows that one thing is clear: BEC attacks are on the rise, and organizations are susceptible no matter where they are located.”