top of page

Report: Majority of Business Email Compromise (BEC) Attack Targets Don’t Have MFA Enabled


Arctic Wolf Labs, the research and lab division of the managed detection and response provider, released their 1H 2022 incident response insights report. Arctic Wolf Labs regularly collects and analyzes data and insights from the incident response activities of Arctic Wolf’s incident response business unit, Tetra Defense.


Key Report Takeaways:

  • The second quarter of 2022 saw a significant uptick in business email compromise (“BEC”) attacks, accounting for over a third of total cases we responded to. At 80% of the organizations where a BEC attack occurred, there was no Multi-Factor Authentication (“MFA”) solution in place prior to their incident.

  • The median ransomware demand from threat actor groups was $450,000, with Technology and Shipping/Logistic industries experiencing demands that more than double the global median.

  • While the human element is a common attack vector that threat actors can exploit, over 80% of incidents are driven by the exploitation of unpatched vulnerabilities or remote access tools.

  • Incidents tied to the well-publicized ProxyShell and Log4J vulnerabilities continue to be twice as costly for organizations to respond than a median incident.

Some of the most notable observations from the first half of 2022 (January – June) include:

Business Email Compromise Attacks Jump in Q2















According to Arctic Wolf Labs, "Of significant note in these BEC cases, 80% of the impacted organizations did not have multi-factor authentication (“MFA”) in place. The ongoing exploitation of compromised credentials in BEC attacks highlights the importance that multi-factor authentication (“MFA”) and dark web monitoring play in securing organizations. With MFA in place, exploitation of compromised credentials becomes more challenging. Even if a threat actor has a known username and password pair, the account remains inaccessible without a second factor of authentication such as an app push notification, text message, or security token. As a next layer of defense, in a worst case scenario, a dark web monitoring feature can alert organizations if credentials have been exposed."

bottom of page