Employees open 28% of business email compromise attacks – Learn why and how to boost your security
Published Mar 27 2023 08:41 AM 2,560 Views
Copper Contributor

In this guest blog post, Arun Singh, VP of Marketing at Abnormal Security, explores the impact an organization’s workforce has on its cybersecurity and why it’s essential to eliminate opportunities for employees to engage with malicious emails.


Business email compromise (BEC) attacks have been a persistent challenge for organizations worldwide since their emergence in the mid-2010s. These text-based emails often bypass traditional security tools, and attackers have found increasingly clever ways to deceive employees into providing them with access to valuable data and funds.


With $43 billion in exposed losses over five years, stopping BEC attacks must be a top priority for companies of all sizes. Not only are these attacks steadily increasing in volume, but, even worse, employees aren’t reporting them.


Employees report attacks at alarmingly low rates

Our research uncovered a startling statistic: Only 2.1 percent of all known attacks are reported by employees to the security team.


In the last six months of 2022, there was an average of 104 BEC attacks per 1,000 mailboxes per week. For mid-market enterprises with 1,500-2,000 employees, this means there are 30-40 attacks every workday that are not reported to the security team. And for larger organizations, the number can be even higher.


Moreover, most messages reported to security teams are not malicious; on average, 84 percent of employee reports to phishing mailboxes are either safe emails or graymail. This means security teams are spending time on emails that are not harmful while the malicious ones remain in employee inboxes.


Why employees aren’t reporting malicious emails

Employees may choose not to report a potential attack for various reasons.


One cause may be the bystander effect. While most often associated with emergency situations, the bystander effect can also occur in any environment in which multiple individuals face the same issue. This phenomenon can be summarized in the phrase, “Someone else will handle it.” In essence, employees assume: 1) they aren’t the only target of an attack; and, 2) a colleague likely has already reported it, so they don’t need to take action. However, it's important to note that even if an attacker targets multiple employees, the sooner an email is reported, the sooner all related messages can be addressed.


Some employees believe that as long as they don’t interact with the attacker, they have fulfilled their cybersecurity obligation. But security professionals know deleting the email without reporting it can be almost as harmful, as it eliminates the chance to warn other employees about the attack. Employees need to understand that while they might be able to immediately recognize a phishing attack or attempted invoice fraud, not all of their colleagues will. And if they don’t report it, the threat actor can move on to their next target within the organization.


Finally, the data shows most reported emails are not actually malicious. Knowing this, employees may not report a potential attack out of fear of embarrassment or creating extra work for the security team. However, when the consequences of a successful attack can be costly, it's important to create an environment in which employees err on the side of caution and are encouraged to report any suspicious emails.


Attackers successfully engage employees at companies of all sizes

Employees not only fail to report attacks they encounter, but they also interact with malicious emails at a concerning rate.





Between July and December 2022, we monitored the email environments for hundreds of companies of different sizes in multiple industries. As the organizations were not yet customers and only evaluating the solution, Abnormal Inbound Email Security was implemented in passive, read-only mode. This means the Abnormal platform was integrated with each company's mail client and detecting malicious emails but was not actively blocking them, unless a potentially successful attack was discovered.


We found the median open rate for text-based BEC attacks involving the impersonation of internal executives and external third parties was almost 28 percent, with an overall average read rate of 20 percent. Even more alarming was that, of the malicious emails that were read, an average of 15 percent were replied to.


Further, although only 0.28 percent of recipients engaged with more than one attack, over a third of replies were from employees who had previously interacted with an earlier attack. It's impossible to know exactly why this occurs, but there are at least a few reasons why an employee might become a “repeat responder.”


One possibility is the employee may not have received enough training or follow-up after the first incident. Just because an employee has experienced the negative consequences of falling victim to an attack, employers shouldn’t assume no additional coaching is needed to avoid repeating the error. In fact, as threat actors change their tactics, security awareness training is more important than ever before.


Additionally, employees in certain roles (such as finance) may receive a higher volume of attacks. Even with adequate follow-up training, if an employee is bombarded with malicious emails at an above-average rate, it increases the chances of them mistaking an attack for a valid email. Finally, some employees may mistakenly believe they won't be targeted again after falling victim to an attack, leading to a false sense of security.


Employees at all levels of an organization engage with attacks

Another interesting trend we examined was the apparent correlation between an employee’s role in an organization and the likelihood of them reading and/or replying to malicious emails.




Employees in human resources and accounts payable roles had some of the highest open rates, ranging from 26 percent to 31 percent for the former and 22 percent to 36 percent for the latter. However, they did not respond to malicious emails as frequently as employees in other positions, indicating they may be more aware of their popularity as attack targets and therefore are better equipped to identify suspicious emails.


Conversely, mid-level sales professionals, specifically sales managers and account executives, had some of the highest open and reply rates (22 percent to 38 percent). Interestingly, although employees in entry-level sales roles like sales associates and sales specialists had below-average open rates, they responded to threat actors a remarkable 78 percent of the time when they opened the email.


It is unsurprising that employees in sales-focused positions are more likely to read and respond to malicious emails. These roles rely heavily on email communication, are often among the most public-facing in a company, and usually require corresponding with various departments and vendors. Moreover, these roles are typically commission-based, incentivizing employees to be responsive, helpful, and efficient in resolving issues.


Transportation, automotive, and healthcare employees most likely to reply

While professional services providers, educational institutions, and religious organizations received the highest volume of attacks during the last half of 2022, employees at these businesses were not the most likely to read and reply to BEC attacks. Our data showed that it was actually employees at transportation providers, automotive enterprises, and healthcare organizations who were most likely to respond to malicious emails.




Traditionally, transportation providers have prioritized physical security over cybersecurity. It is only in the past five years that cybersecurity has been recognized as a top priority by CEOs — and usually only following a significant security breach. Further, there is generally a great emphasis on maintaining seamless operations in the transportation industry. Resolving an issue quickly, whether it involves providing information or settling outstanding balances, can mean the difference between business as usual and a disastrous disruption in services.


Combating email attacks is an uphill battle for professionals in any industry, but employees in the automotive sector are at a particular disadvantage. At automotive enterprises, the organization’s hierarchy and employee names, positions, and contact information — including those of executives — are typically accessible on the company's website. These are all details cybercriminals can easily utilize to craft convincing socially-engineered attacks. In addition, because automotive groups rely on complex supply chains and extensive vendor ecosystems, attackers have numerous third parties to impersonate and vulnerabilities to exploit.


And finally, employees at healthcare organizations are also at a higher risk of falling prey to socially engineered attacks, but for different reasons. The healthcare industry attracts individuals with a strong desire to help others, which cybercriminals will happily exploit. Additionally, larger healthcare organizations and hospital systems have high turnover rates, which means employees are less likely to know their colleagues personally, making impersonation easier.


How Microsoft and Abnormal work together to protect your workforce

Your workforce is your most valuable resource, but also your biggest security risk. Email attacks are especially challenging for employees, as they must remain vigilant at all times, while cybercriminals only need to succeed once. While email attacks will continue to increase in both volume and severity, they can be stopped with the right combination of solutions — like Abnormal Security and Microsoft 365.


Abnormal enhances Microsoft’s native security with machine learning and AI to offer high-accuracy attack detection and prevention. Rather than using a rules- and policies-based system that is triggered only by known indicators of compromise, Abnormal’s approach involves establishing baselines for known-good behavior and then recognizing anomalies. By understanding what is normal, Abnormal can block the malicious and unwanted emails that bypass other solutions.


If you want to be confident your email security will stop these attacks before they reach employee inboxes, now is the time to partner with Abnormal and Microsoft.


To see how Abnormal can secure your cloud email against the full spectrum of email attacks, schedule your personalized demo. And to learn more about how Abnormal augments the built-in protection of Microsoft 365, visit Abnormal's page in the Azure Marketplace.

Version history
Last update:
‎Mar 27 2023 08:41 AM
Updated by: