What is Business Email Compromise (BEC) and why is it a major cyber threat?

Business Email Compromise (BEC) is a cyber attack where criminals use email to impersonate trusted individuals or organizations, tricking employees into transferring money or sensitive information. In 2023, BEC attacks resulted in nearly billion in reported losses in the United States, with the average loss per incident rising to 7,132. These attacks are highly effective due to social engineering and the exploitation of human error. Source

How common are email-based cyber attacks in 2024?

In 2024, roughly three quarters of all reported cyber incidents started with phishing emails or malicious attachments sent to company employees. Email remains the most significant vector for cyber attacks, with 94% of organizations suffering email security incidents and 79% of cyber attacks starting with a phishing email. Source

Why is email considered the weakest link in organizational security?

Email is considered the weakest link because it is easy for attackers to exploit human error through social engineering. Employees often use personal devices for both business and private tasks, increasing risk. Simulations have shown near 100% click rates on phishing emails disguised as password resets or evacuation plans, highlighting the effectiveness of these attacks.

How do attackers use email to bypass security controls?

Attackers use email to deliver ransomware, worms, Trojans, and links to malicious websites. They often impersonate trusted individuals (e.g., executives) or use spear-phishing tactics to trick employees into opening attachments, disclosing credentials, or transferring funds. These methods can bypass traditional security controls if not regularly tested and updated.

What are the financial impacts of BEC and email-based attacks?

The financial impact is significant: BEC attacks caused nearly billion in reported losses in the US in 2023, with the average loss per incident rising to 7,132. Ransomware attacks and malware delivered via email can result in millions in damages, as seen in the City of Allentown and Change Healthcare cases.

How does BYOD and BYOVD increase email security risks?

The rise of Bring Your Own Device (BYOD) and Bring Your Own Vulnerable Device (BYOVD) means employees use personal devices for both work and private tasks. These devices often lack proper security controls, making it easier for attackers to exploit vulnerabilities and launch successful email-based attacks.

What are the most effective social engineering tactics used in phishing emails?

Highly effective tactics include emails masquerading as urgent password reset alerts or updated evacuation plans. Simulations have shown near 100% click rates on such emails, demonstrating the power of social engineering in bypassing employee vigilance.

How can organizations reduce the risk of BEC and email-based attacks?

Organizations can reduce risk by educating employees, keeping systems updated, using intrusion detection systems, flagging suspicious emails, color-coding internal/external emails, applying two-factor authentication for wire transfers, verifying requests by phone, scrutinizing fund transfer requests, and implementing DMARC standards. However, regular security assessments using platforms like Cymulate are essential for exposing vulnerabilities.

Why are regular security assessments important for email security?

Regular security assessments help organizations identify and address vulnerabilities that may not be covered by standard policies and controls. By simulating real-world attacks, organizations can test their defenses, improve employee awareness, and adapt to evolving threats. Cymulate's Breach and Attack Simulation (BAS) platform provides these capabilities.

What is Cymulate's E-Mail module and how does it work?

Cymulate's E-Mail module is part of its Breach and Attack Simulation (BAS) platform. It tests an organization's readiness against email-based threats by simulating offensive and defensive scenarios. The module sends emails containing ransomware, worms, Trojans, and malicious links to assess if these threats can bypass security controls and reach employees. It also evaluates employee awareness and response to phishing attempts.

How does Cymulate help organizations validate their email security readiness?

Cymulate helps organizations by simulating real-world email attacks to expose vulnerabilities in their defenses. The platform tests both technical controls and employee awareness, providing actionable insights to improve security posture and resilience against BEC, phishing, and other email-based threats.

What types of threats does Cymulate's E-Mail module simulate?

The E-Mail module simulates a variety of threats, including ransomware, worms, Trojans, phishing links, and socially engineered emails designed to trick employees into revealing credentials or transferring funds. This comprehensive approach ensures organizations are prepared for a wide range of email-based attacks.

How can I see Cymulate in action for my organization?

You can book a personalized demo with Cymulate to see how the platform validates your organization's resilience against email-based cyber threats. Visit Cymulate's demo page to schedule a session.

What are the benefits of using Cymulate for email security validation?

Cymulate provides continuous, automated testing of email defenses, identifies gaps in security controls, improves employee awareness, and delivers actionable insights for remediation. This proactive approach helps reduce the risk of successful email-based attacks and supports compliance with industry standards.

How does Cymulate's approach differ from traditional email security solutions?

Unlike traditional solutions that rely on static controls, Cymulate uses Breach and Attack Simulation to continuously test and validate defenses against the latest threats. This dynamic approach uncovers vulnerabilities that may be missed by standard tools and helps organizations adapt to evolving attack techniques.

What customer feedback has Cymulate received regarding ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly interface and ease of implementation. For example, Raphael Ferreira, Cybersecurity Manager, stated, 'Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture.' Read more testimonials .

How quickly can Cymulate be implemented?

Cymulate is designed for rapid deployment, operating in agentless mode with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately after deployment, maximizing value with minimal resources. Learn more

What types of organizations benefit most from Cymulate's email security validation?

Cymulate is suitable for organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. It is especially valuable for CISOs, SecOps teams, Red Teams, and Vulnerability Management teams seeking to proactively validate and improve their email security posture. Learn more

What features does Cymulate offer for email security validation?

Cymulate offers continuous threat validation, automated attack simulations, exposure analytics, and a comprehensive threat library with over 100,000 attack actions. The platform provides actionable insights, quantifiable metrics, and supports integration with leading security controls for automated mitigation. See platform features

What integrations does Cymulate support?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a complete list, visit our Partnerships and Integrations page .

What security and compliance certifications does Cymulate hold?

Cymulate holds several key certifications, including SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to industry-leading security and compliance standards. Learn more

How does Cymulate ensure data security and privacy?

Cymulate ensures data security through encryption in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a tested disaster recovery plan, and compliance with GDPR. The platform includes mandatory 2FA, RBAC, IP address restrictions, and regular third-party penetration testing. Read more

What educational resources does Cymulate provide?

Cymulate offers a Resource Hub with whitepapers, product information, and thought leadership articles, a blog covering the latest threats and research, a glossary of cybersecurity terms, and webinars. Access these resources at our Resource Hub .

Where can I find news, events, and blog posts from Cymulate?

You can stay updated with Cymulate's latest news, research, and events by visiting the blog , newsroom , and events page .

Does Cymulate have resources on preventing lateral movement attacks?

Yes, Cymulate provides a blog post titled 'Stopping Attackers in Their Tracks' that discusses common lateral movement attacks and prevention strategies. Read it on our blog .

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's requirements. Pricing depends on the chosen package, number of assets, and scenarios selected. For a detailed quote, schedule a demo with the Cymulate team.

Who is the target audience for Cymulate's platform?

Cymulate is designed for CISOs, security leaders, SecOps teams, Red Teams, and Vulnerability Management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. Learn more

What are the main pain points Cymulate solves for organizations?

Cymulate addresses fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery challenges. See case studies

How does Cymulate compare to other security validation platforms?

Cymulate stands out with its unified platform combining Breach and Attack Simulation, Continuous Automated Red Teaming, and Exposure Analytics. It offers continuous threat validation, AI-powered optimization, complete kill chain coverage, and an extensive threat library. Customers report measurable improvements in risk reduction and operational efficiency. See comparisons

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity practices by enabling organizations to proactively validate defenses, identify vulnerabilities, and optimize security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity strategies. About Cymulate

Where can I find Cymulate's customer success stories and case studies?

Cymulate's website features a range of customer success stories and case studies across industries, including finance, healthcare, and energy. Explore these at our Case Studies page .

How does Cymulate support compliance and regulatory requirements?

Cymulate supports compliance with industry standards such as SOC2, ISO 27001, and CSA STAR. The platform provides automated compliance and regulatory testing, helping organizations demonstrate adherence to security frameworks and regulatory requirements. Learn more

The Escalating Risk of Business Email Compromise

Last Updated: June 22, 2025

Attackers Are Launching Email Based Cyber Attacks As Never Before

Cyber criminals and malicious hackers keep targeting email inboxes. Corporate email accounts have always been a favorable target and according to security experts. In the United States alone, Business Email Compromise (BEC) attacks resulted in nearly $3 billion in reported losses in 2023, marking a 58% increase since 2020. The average loss per incident rose from approximately $74,723 in 2019 to $137,132 in 2023, indicating that while the number of incidents has slightly decreased, the financial severity per attack has intensified.

Why Email Is Still the Weakest Link

Roughly three quarters of all reported cyber incidents in 2024 started with phishing emails or malicious attachments sent to company employees. The main reasons why emails are easy pickings for cybercrooks is that because it is simple, does not require massive resources and focuses on the weakest link in the organization “people”. Furthermore, companies have a hard time detecting and mitigating security incidents quickly and accurately.

Last but not least, employees use their own devices for business and private use. The rise of BYOD (Bring Your Own Device) and, increasingly, BYOVD (Bring Your Own Vulnerable Device) has only amplified the risk, as personal devices used for both business and private tasks often lack proper security controls. When it comes to phishing, two simulations yielded a near 100% click rate: one that masqueraded as a database password reset alert, and another that claimed to include an updated building evacuation plan. It underpins how effective social engineering is.

Case Study: Yarrow Point Email Scam and Recent Ransomware Attacks

The Yarrow Point cyberattack shows how aging systems in, e.g., municipalities and governments combined with untrained staff, make easy targets for hackers. As part of an email scam, the Yarrow Point financial coordinator received an email that seemed to come from the town’s mayor asking to transfer money. He promptly wired $49,284 to an unidentified cybercrook. The email was sent by “Richard” although the mayor always used his nickname “Dicker”. A few months later, Yarrow Point fell victim to a ransomware attack, which locked down some of the town’s computer systems. Employees were denied access to files and in the end, nearly $10,000 in bitcoin was paid in ransom.

Email attacks are not going away anytime soon. Hackers will keep on using it to proliferate malware and ransomware, to trick users to browse to malicious websites with the purpose to steal sensitive data or fool employees to transfer money. Let’s take a look at some recent examples of email-based attacks that highlight just how persistent—and damaging—this threat vector remains.

In March 2025, Google confirmed a surge of cyber-espionage attacks affecting Chrome users due to highly sophisticated malware triggered by phishing links in emails. Kaspersky researchers identified the malware exploiting a zero-day vulnerability, CVE-2025-2783, which allowed attackers to bypass Chrome's sandbox protections. Targeting media professionals, educational institutions, and government agencies, this attack was dubbed "Operation ForumTroll." Google announced a forthcoming security patch to address the vulnerability in the next browser update
In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group and one of the largest health data processors in the U.S., suffered a devastating ransomware attack by the ALPHV/BlackCat gang. The breach caused widespread outages across the healthcare sector, halting billing systems, delaying insurance claims, and affecting services at military pharmacies worldwide
In the week of February 12, the City of Allentown, PA was hit by a cyberattack originating from a malicious email containing malware dubbed Emotet. The self-replicating malware stole credentials such as passwords of city employees. The municipality was forced to shut down some financial and public safety operations. The total costs will be around $1 million, including $800,000 to $900,000 for repairing the damage that the virus has done.

Especially BEC attacks use email to impersonate, spoof and spear-phish to trick employees into wiring millions of dollars to the hackers’ shell corporations and corresponding bank accounts.

Reducing BEC Risks

There are proven policies and safeguards organizations can put in place to make email attacks far less susceptible to Business Email Compromise:

Educate employees about the risks to prevent social engineering.
Make sure that systems and software are updated.
Use an intrusion detection system that can flag e-mails with extensions that are (too) similar to the corporate e-mail extension.
Flag e-mail conversations where the “reply” e-mail address is different from the “from” e-mail address.
Color-code e-mails from employee/internal accounts in one color and e-mails from non-employee/external accounts in another color.
Apply two-factor authentication requiring two different employees for all wire transfers.
Use phone verification by dialing the telephone numbers registered in the system (and not the one in the email).
Scrutinize all e-mail requests for suspicious transfer of funds.
Implement the Domain Message Authentication Reporting & Conformance (DMARC) standard that verifies the domain of an email message.

Although these measures will help, they are not enough to prevent email attacks. The best approach is to conduct regular security assessments to expose the vulnerabilities within the organization by using a breach and attack simulation (BAS) platform.

How Cymulate Validates Email Security Readiness

To help organizations stay ahead of email-based threats, Cymulate offers an E-Mail module as part of its Breach and Attack Simulation (BAS) platform. This module tests how prepared organizations from all industries really are when it comes to handling these threats.

The simulation deploys offensive and defensive actions to expose critical vulnerabilities, such as sending emails containing ransomwares, worms, Trojans, links to malicious websites etc. to see if these emails would bypass the organizations’ first line of defense and reach their employees. During the next step, they can also test their security awareness regarding receiving such socially engineered emails that try to phish the employees into opening malicious attachments, disclosing their credentials or clicking on malicious links.

Ready to see how your defenses stack up? Book a demo with Cymulate to validate your organization’s resilience against email-based cyber threats.

Table of Contents

Attackers Are Launching Email Based Cyber Attacks As Never Before Why Email Is Still the Weakest Link Case Study: Yarrow Point Email Scam and Recent Ransomware Attacks Reducing BEC Risks How Cymulate Validates Email Security Readiness

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

Solution Brief

Email Gateway Validation

Detect and close gaps in your email security before attackers exploit them.

blog

5 Game-Changing Tips for CISO Success

As business pressures increase, chief information security officers (CISOs) face an alarming disconnect from executive teams. WSJ recently published research

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo

Frequently Asked Questions

Email Security Threats & Business Email Compromise (BEC)