According to an article from Threatpost, BEC attacks in general represent a small portion of the total “email attack pie,” constituting just five percent of this activity overall. And yet, they disproportionately represent the greatest financial risk. Having led to $26 billion in losses for organizations and individuals over the past three years according to the FBI’s Internet Crime Complaint Center (IC3). Unfortunately, losses from water and wastewater utilities are included in those figures, with WaterISAC continuing to receive reports of these attacks affecting the sector. Part of the reason BEC attacks have been so successful is that they are nearly always hand-crafted and incorporate heavy elements of social engineering. And to boot, the “payload-less” nature (meaning they don’t carry malware or contain URLs leading to malicious websites) of these BEC attacks evades detection from traditional email security solutions. As with so many other things involving security, detecting these attacks and preventing them from being successful relies on continual training and familiarization, especially as new tactics emerge. To assist with this training, the article presents some of the most common characteristics of BEC emails. For example, 65 percent involve some form of engagement, with the threat actor asking something like “Can you assist with two payments before noon?” The article also includes numerous examples of real-world BEC examples. Read the article at Threatpost.