On the FBI’s website “Scams and Safety” page, business email compromise (BEC) is defined as “one of the most financially damaging online crimes” and it’s noted that these attacks cost companies “hundreds of thousands of dollars,” on average.
Further, a recent APWG report found that the average loss of a wire transfer BEC attack was $80,183 in the second quarter of 2020 — a 32% increase over the first quarter.
While cyber professionals are familiar with what BEC attacks aim to achieve — primarily, financial but also reputational damages — myriad obtuse terminology is commonly used interchangeably with the greater phishing attack lexicon to render the sector of attacks confusing and difficult to categorize.
But for those who are responsible for email threat mitigation, there are several clear instances of BEC attack techniques you should know. To paraphrase Sun Tzu, before you can defeat an enemy, you must first understand it.
Company Financials in the Crosshairs
BEC attacks begin with phishing emails meant to entice a recipient to conduct a task under the guise of a legitimate business activity. What makes them so effective is that the email commonly appears to come from a trusted sender, such as an authority figure. Typically, the cybercriminal will ask for some form of monetary payment or to enter credentials to steal employee personally identifiable information or sensitive company data, such as wage or tax forms, Social Security numbers, and bank account information.
There are two general buckets that BEC attacks fall under: spear-phishing (containing malicious links and/or attachments) and, more commonly, social engineering attacks. The latter take the form of employee availability checks, requests for unspecific tasks, gift card requests, and solicitations for direct deposits, payments, and bank details. Because these emails contain no malicious links or attachments, they bypass traditional secure email gateway protections, which are not capable of blocking emails because of the text they contain.
Let’s break down the three most common type of BEC attacks.
CEO fraud: In this instance, attackers will pose as a company CEO or other company executive in an attempt to fool any level of employee — from intern to an accountant to human resources and everything in between — into executing unauthorized wire transfers or sending out confidential tax information. Often, there can be crossover here into social engineering attacks, which use psychological manipulation to trick people into divulging confidential information or providing access to funds.
Usually, CEO fraud phishing emails are social engineering, but they sometimes can be spear-phishing attacks (that is, the attacker spoofs the CEO asking an employee to download a file).
Account compromise: As mentioned above, one of the biggest goals for cyberattacks is account takeover. This is one of the most devastating forms of BEC attacks and involves using phishing emails to hack an executive or employee account and then uses those qualifications to request invoice payments to vendors. Interestingly, this dovetails with reports that more than 56% of organizations report falling victim to a breach caused by their vendor.
Account takeovers may not be seen as destructive as ransomware or malware attacks, but they can cause huge financial loss to companies. They also almost always start with a social engineering attack, asking recipients for unspecified tasks or for compromising information. Then criminals often lurk for months undetected in the back end of systems, learning communication patterns they can later exploit. This ecosystem is clearly still extremely vulnerable to hacking and phishing attacks, leaving a ripe opening for cybercriminals to abuse.
False invoice scheme: The FBI lists false invoice schemes as one of the top five major types of BEC scams. These attacks commonly target someone who works in a business’s financial department, such as an accountant. Savvy attackers will alter a legitimate invoice’s bank account numbers but leave the rest of the invoice unchanged, making it difficult to detect that it’s fraudulent. The possibilities from there are numerous: Some attackers increase the payment amount or create a double payment, among many strategies.
However it happens, the false invoice scheme involves using phishing emails to impersonate the accountant, the vendor, or both. These techniques are replicable in other prominent billing schemes, such as creating shell companies or making fraudulent purchases with organizational funds.
No Easy Answer
As mentioned earlier, it’s important to understand and use the correct terminology when addressing a BEC attack. If your company’s IT or security team can’t properly trace the origin of a potential attack and understand why the attackers conducted a BEC campaign the way they did, how can your company hope to mitigate any potential damages?
There’s no silver bullet for email security. Cybercriminals are savvy and will do anything and everything to circumvent cybersecurity tools and protections. While companies have made inroads toward protecting valuable financial and customer data, it comes down to staying continually vigilant with state-of-the-art technology and continued phishing awareness training for employees.
Other tips include the following:
- Setting up two-factor (or multifactor) authentication
- Never opening an email attachment from someone you don’t know
- Using a URL scanning service to ensure the veracity of links
As Donna Gregory, chief of the FBI’s Internet Crime Complaint Center, has said, “Criminals are getting so sophisticated, it is getting harder and harder for victims to spot the red flags and tell real from fake.” With COVID-19 and other world issues creating distractions that affect everyone’s concentration and focus, CISOs and security professionals should encourage individuals to be extremely skeptical and to double-check credentials before engaging with any suspicious communications.
Eyal Benishti has spent more than a decade in the information security industry, with a focus on software R&D for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the … View Full Bio