Business Email Compromise Attacks on the Rise (and other lessons from the Verizon 2023 Data Breach Investigations Report)

August 8, 2023

The Verizon 2023 Data Breach Investigations Report is an 89-page document providing an overview of the causes of and trends in data breaches across industries, business sizes, and regions. We’ve summarized some of the key findings from the report below:  

Key Findings from the Verizon 2023 Data Breach Investigations Report

Business Email Compromise attacks on the rise.  

Business Email Compromise (BEC) attacks occur when cybercriminals target businesses (or individuals) that perform financial transactions via email. Generally, the criminal will send a scam email that looks like a legitimate request but ultimately results in funds being diverted to the criminal.  

Some examples are: 

  • A company CEO emailing her assistant to ask him to purchase dozens of gift cards to be sent out as employee rewards. She wants the serial numbers right away so she can forward the rewards today. Her usual email address is, but the request today came from  
  • Your ‘usual’ vendor sends an email asking you to update their mailing and bank account details following a recent move.  
  • An employee receives an email from their manager’s manager asking for their login details for a specific account.  
  • Your company receives an urgent email purporting to be from your attorney seeking immediate payment or an important transaction will fall through.  

Verizon found that BEC attacks make up more than 50% of cyber incidents attributed to social engineering.  

“Business email compromise (BEC)—also known as email account compromise (EAC)—is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional.” – FBI BEC Factsheet 

Some key practices you can implement to reduce your risk of falling victim to a BEC attack include:  

  • Requiring your team to verify by phone any significant financial transactions or changes to account details with the person requesting it using details available online (not from the email the request arrived in).  
  • Training your team to never click on links in unsolicited emails or text messages and to be careful when downloading attachments forwarded via email.  
  • Requiring your team to enable multi-factor authentication on all cloud-based accounts, including email accounts. This reduces the possibility that a scanner can get into your team’s email account and leverage that account to defraud your customers or vendors.  
  • Introduce processes that slow down urgent requests and require at least two people to look at the transaction request. Urgency is a key tool used by scammers, and slowing down can help to prevent harm.  
  • Inform your team about the increase in this style of attack and provide some additional training and information.  

You can find more information on the FBI Factsheet.  

Companies should prioritize solutions that protect against stolen credentials, phishing, and vulnerability exploitation. 

Verizon’s findings indicate that stolen credentials, phishing, and vulnerability exploitation are the three primary methods cybercriminals use to access organizations.  

Minimizing the chances of vulnerability exploitation rests predominantly with your IT team. However, introducing multi-factor authentication and password managers can help to reduce the risk associated with stolen credentials or phishing.  

Multi-factor authentication reduces your risk because it’s not enough for the cybercriminals to simply obtain your password. They also need the authentication code (or other information, like biometric data) to complete the login process.  

Password managers can reduce your risk by ensuring that cybercriminals can only access one account if they manage to successfully steal your credentials. Since each account has different login details, they can’t use the same credentials to access a wealth of different accounts (stealing more data as they go). Read more about this in our article about how P@Ssw0rd123 Won’t Cut It. 

Companies Should Consider Implementing the Center for Internet Security (CIS) Controls.  

Verizon specifically recommended implementing the Implementation Group 1 (IG1) controls from the CIS Framework in its 2023 Data Breach Report. The IG1 controls are also referred to as the Essential Cyber Hygiene controls because it helps to defend against the major types of attacks being used.  

You can review the list of 18 controls contained in IG1 here:  

And, helpfully, CIS recorded a webinar discussing Verizon’s findings, which you can review here:  

If you need assistance with your organization’s privacy and security, reach out. Our attorneys would love to help.  


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you