Cybersecurity

The $55 Billion Confusion: Why Not Knowing the Difference Between Hacking and Spoofing Is Costing Businesses Everything

BEC attacks have cost $55 billion over the past decade. Most don't involve actual hacking — they're spoofing attacks. Learn the critical difference and how to defend against both.

June 28, 20244 min readCybersecurity
The $55 Billion Confusion: Why Not Knowing the Difference Between Hacking and Spoofing Is Costing Businesses Everything

Most business owners focus on preventing hackers from breaking into systems through strong passwords and multi-factor authentication. But criminals are actually succeeding not because they broke in, but because they never had to.

Business Email Compromise (BEC) attacks have cost organizations $55 billion over the past decade. The critical issue? Most of these attacks don't involve actual hacking — they're spoofing attacks where criminals impersonate trusted individuals.

  • $2.9 billion in losses in 2023 alone
  • $137,000 average loss per incident
  • 90%+ of top domains still vulnerable

Hacking vs. Spoofing: Understanding the Difference

Hacking: Breaking Into Your House

Criminals force their way past locks, alarms, and security systems. This requires technical defenses including strong authentication, updated software, and monitoring systems.

Spoofing: Wearing a UPS Uniform

Criminals trick victims into allowing them access by appearing legitimate. This requires trust verification through email authentication, domain protection, and employee awareness.

Both are dangerous. Both cost businesses millions. But they require completely different defenses.

The Hybrid Threat

The most dangerous attacks combine both methods:

  1. Criminals hack into legitimate business email accounts using stolen credentials, phishing, or exploiting vulnerabilities
  2. They monitor conversations for weeks or months, learning communication patterns, business relationships, and payment schedules
  3. They send spoofed emails that look completely real, coming from actual business accounts with real conversation history

This hybrid approach is particularly effective because the emails aren't just convincing — they're coming from actual business accounts with real conversation history.

How Hacking Works

Hacking is unauthorized access to accounts, systems, or devices — digital breaking and entering. Methods include:

  • Password theft through phishing emails or data breaches
  • Malware installation, such as keyloggers capturing everything typed
  • Exploiting vulnerabilities in outdated software
  • Social engineering to trick employees into revealing credentials

Account Takeover (ATO), where criminals gain complete control of email or business accounts, is the scariest outcome. Average cost: $129,000.

How Spoofing Works

Spoofing involves criminals pretending to be trustworthy without breaking into anything:

  • Email spoofing: making emails appear to come from your domain
  • Website spoofing: creating fake sites that look exactly like yours
  • Social media impersonation: copying executive profiles to build fake relationships

A striking statistic: 3.1 billion spoofed emails are sent every day — over 35,000 every second. And only 3.9% of top domains have proper anti-spoofing protection.

It's Happening in Eastern Ontario

These aren't just abstract threats — they've hit our neighbors:

Upper Canada District School Board (January 2025): A cyber attack shut down internet services for all 77 schools in Eastern Ontario, including North Dundas District High School. Students returned from Christmas break to find themselves in a "non-digital environment" with no email, no online learning platforms.

Kemptville District Hospital: Just south of Ottawa, this hospital had to shut down its emergency department after a cyberattack. The City of Clarence-Rockland was also hit by what experts called "a classic ransomware attack" with all municipal systems frozen.

Five Southwestern Ontario Hospitals (October 2023): These hospitals lost $7.5 million and had to shut down critical systems for weeks when the Daixin ransomware group attacked. Over 516,000 patients had their personal health information stolen.

If sophisticated organizations with IT departments and security budgets can fall victim, what does that say about the protection level for smaller businesses?

Defending Your Business

Against Hacking

  • Multi-factor authentication (avoid SMS — use authenticator apps or hardware keys)
  • Strong, unique passwords managed with a password manager
  • Endpoint protection to catch malware before it spreads
  • Regular security audits of login attempts and access patterns

Against Spoofing

  • SPF, DKIM, and DMARC properly configured (not just set to "monitor")
  • Domain monitoring to catch look-alike registrations
  • Email authentication verification for all incoming messages
  • Employee training to recognize impersonation tactics

Take Action Today

Immediate Steps:

  • Check your domain spoofing protection at any DMARC checker tool
  • Review your MFA setup — are you still using SMS codes?
  • Audit recent financial requests — do they follow proper verification procedures?
  • Train your team on the difference between hacking and spoofing

Strategic Planning:

  • Implement proper email authentication (SPF, DKIM, DMARC at "reject" policy)
  • Establish verification procedures for all financial transactions
  • Deploy endpoint protection across all business devices
  • Create incident response plans for both types of attacks

The Bottom Line

In 2025, cybersecurity isn't just about keeping hackers out — it's about stopping criminals from pretending to be people you trust. Hacking requires technical defenses. Spoofing requires trust verification. Hybrid attacks require both.

Don't let the $55 billion in BEC losses become $56 billion with your business included. Protect against both threats, not just the obvious one.

CT

CinnTech

Managed IT · Eastern Ontario

CinnTech has been serving small and micro businesses in Eastern Ontario since 2010. Our team writes these guides to help business owners make sense of IT and cybersecurity without the jargon.

Free For Eastern Ontario Businesses

See Exactly Where Your Business Is Vulnerable

Our free security scan checks your devices for real threats — no sales pitch, just a plain-English report.

Get My Free Scan

More Cybersecurity Articles

Password Security in 2025: Why a Password Manager Matters, and What Your Options AreCybersecurity

Password Security in 2025: Why a Password Manager Matters, and What Your Options Are

Most Ontario business owners are juggling over 100 passwords, but their shortcuts are putting the company at risk. Learn why insecure password habits are a ticking time bomb and the simple solution to prevent a costly data breach.

August 26, 2025 · 5 min readRead →
Cybersecurity for Small Businesses: What You Need to Know in 2025Cybersecurity

Cybersecurity for Small Businesses: What You Need to Know in 2025

72% of Canadian small businesses experienced a cyber attack last year. Discover why you're a prime target and learn the simple steps you can take today to protect your company.

August 21, 2025 · 3 min readRead →
Why Your Slow Computer Might Be a Security RiskCybersecurity

Why Your Slow Computer Might Be a Security Risk

That frustrating computer lag isn't just an inconvenience — it could signal serious security vulnerabilities. Learn the hidden connection between slow performance and cyber risk.

July 12, 2024 · 5 min readRead →