Business email compromise (BEC) attacks are among the most effective forms of phishing in our modern world. Regardless of the technology in place, the social engineering involved easily will bypass it and can trick even trained users.
Most Common Types of Business Email Compromise (BEC) attacks:
- Invoice Scams
- Account Compromise/Takeover
- CEO or Executive Fraud
- Legal Impersonation
- Data Theft
Unlike your standard forms of phishing where threat actors take a spray and pray approach, or untargeted attacks, BEC attacks are highly researched and focus on a single person. In most cases, these targeted attacks are designed to breach a network of commercial, governmental, and even non-profit organizations with very specific goals. These can range from financial gain to collecting highly private or confidential information for further malicious purposes. It is also one of the leading forms of phishing that lead to consumer data breaches.
Phishing is defined as social engineering using digital methods for malicious purposes. Just as threat actors will target users in mass, the more vicious ones will conduct research on a specific target, and the outcome is a Business Email Compromise attack. In most cases, the targets hold a specific role in the company, such as an accountant or executives. They are users who control the financial controls of the company or the keys to private information.
A standard BEC attack works as the following:
- Threat actor researches company controller. They locate their email address, full name, and the CEOs name.
- Threat actor will spoof the CEO’s email address.
- Threat actor will send a semi-casual or informal email, without any links or attachments, opening up a dialogue.
- The victim responds directly to the email.
- Threat actor creates urgency, says they are busy or in a meeting, and asks for immediate wiring of money…. Sometimes in the form of gift cards.
- Victim noting this as not entirely abnormal doesn’t double and triple check the ask and wires the threat actor money.
From there, the situation is unveiled to be part of a BEC attack anywhere from within the same day to months later during an audit. And, as you’ll notice, during the initial attack there is no mention of using a phishing site to capture credentials or a malicious file attachment. That’s why in most cases these attacks easily bypass technology.
However, once a threat actor has gained entry or taken over an account, they can further propagate their attack and use technology such as key loggers to gain deeper access. In other cases, a spoofed email is just the start, and threat actors will work their way up and down within a network until they gain access to their goal. A legitimate email makes it significantly easier for a threat actor to social engineer a situation that results in monetary gain or private access.
According to the FBI, in the U.S. only and across the past few years, threat actors netted just under $3 billion across more than 78,000 victims. Internationally, the FBI tracked another $3 million in reported losses. Alarming as it may be, this only account for the successful BEC attacks that have been reported to the FBI. Each day there are countless smaller attacks.
“Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses. The scam has been reported in all 50 states and in 150 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 115 countries.”
However, a more recent set of data from the FBI shows that in the past year, BEC attacks doubled from past years, and have now hit nearly $1.3 billion in losses in 2018. In 2017? It was only $676,151,185. In one of the latest industry reports, an average of $3 million is lost to BEC attacks each month.
So how can a company stop a threat that is not technical in nature? For starts, security awareness training is incredibly important. Second, but more importantly, is to ensure highly targeted roles in an organization always verify requests prior to fulfilling them.
In our previous example, the comptroller or accountant should have gone around the email and asked the originator to confirm the details of the request. More specifically, never reply directly to the email, but forward it on to the account or confirm in person. This is also why our Email Incident Response solution uses a combination of technology and experts to defeat BEC attacks. Using indicators, if one company or several employees are being targeted, our Email Threat Intelligence and Suspicious Email Analysis can flag a known threat once reported. Other companies also gain crowdsourced indicators to protect them, even if nobody within the organization reports the attack. These are then pulled out of inboxes using SOAR.
When all is said and done, Business Email Compromise (BEC) attacks are both the most costly and effective forms of phishing.
In later pieces, we will further look at how CEOs or executives, in particular, are put at risk by BEC attacks, how financial scams work. and why spear phishing is so effective.