Business email compromise (BEC) attacks take phishing to the next level

Business email compromise definition

Business email compromise (BEC) defines targeted, email-based cyberattacks that seek to trick victims into exposing company information/systems access, handing over money or to perform other acts that negatively impact the business. Better researched and crafted compared to standard, random phishing emails, BEC attacks often have specific targets, personalized, grammatically correct wording, and seemingly genuine but often time-critical instructions that enhance believability for recipients.

“Despite recent headlines being dominated by ransomware, it’s important not to forget about the security threat still posed by BEC attacks,” Jed Kafetz, head of pen testing at Redscan, tells CSO. “They remain a highly popular vector used by cybercriminals and are increasingly challenging to detect.”

Business email compromise statistics

According to the FBI’s 2020 Internet Crime Report, 19,369 BEC complaints were made in 2020 resulting in losses of $1.8 billion. Though this represented a 19% decrease in BEC victims compared to the previous year, the total amount lost increased 5% year-over-year and the average loss per victim increased 29% year-over-year.

What is the primary goal of business email compromise?

As with all phishing attacks, the aim of BEC is to deceive people into thinking they have received a legitimate business-related email and convince them into doing something they believe is good or necessary for the company.

How business email compromise works

When BEC first rose to prominence a few years ago, the ‘gold standard’ attack method focused on spoofing the email address of a C-level executive (often the CEO) and sending an urgent payment request to somebody the finance department for the wiring of funds to a trusted “supplier’s” bank account. Though this would represent an unusual payment process outside of standard procedures, the combination of the seemingly genuine email address, personalized wording (e.g., first name) and a quick note along the lines of “whilst not our usual practice, due to an unforeseen error, this payment fell through the cracks and needs paying right away” would, rather easily, create a scenario convincing enough to be processed. Of course, the account belongs to the fraudster, and by spending the time to research the C-level exec, their finance colleague and even the supplier, the attacker could potentially net a hefty sum of money. Once the payment goes through, the money is then notoriously difficult to track and recover, and normally ends up in the fraudster’s pocket. Over time, BEC attacks have developed in line with trends to become more diverse and smarter as attackers have continued to go after and exploit specific business-related targets for malicious gain.

How business email compromise is evolving

“Employees working in finance departments still tend to be at the greatest risk of being targeted by BEC attacks, but attacks against IT, HR and sales teams are also increasingly common,” says Kafetz. He notes that BEC attacks now often leverage cloud-based infrastructure and services to host landing pages designed to lure targets into disclosing password credentials. “Attackers know that trusted services such as Sharepoint can prove troublesome to block, so they focus on ensuring emails and accompanying payloads are able to evade firewall policies,” he says. “Once they’ve been successful in compromising mailboxes, attackers act slowly and methodically to avoid arousing suspicion. To eavesdrop on their targets, they will often create email rules which automatically send copies of communications to a third-party inbox – information that is used to inspire fraudulent requests.”

There has been notable advancement in how fraudsters go about collecting and using information in BEC attacks, Jack Chapman, vice president of threat intelligence at Egress, says. “Open-source intelligence is a gold mine for attackers looking to craft highly sophisticated BEC email campaigns. There’s been a vast increase in the information that is available about individuals and organizations online, and attackers can easily gain access to this through social media platforms and company websites.”

What makes this trend even more concerning is how attackers are now combining this information with advanced automation tools, Chapman adds. “This powerful combination enables hackers to create automated email campaigns that utilize personal information and social engineering tactics to create devastating and highly sophisticated attacks on organizations and the individuals in them.”

The COVID-19 pandemic and resulting shift to remote working has had notable impact on current BEC attack trends too, adds Brian Honan, founder of BH Consulting. “With lots of people working remotely, criminals are using personal email services to impersonate staff so that requests to payroll or accounts payable to change bank account details for salary or expense payments may not look suspicious,” he says. “They are also using this method to try to impersonate small businesses that supply larger organizations. We have seen criminals use the pretext that the small company’s email server can’t be accessed remotely so they are using personal email addresses instead.”

In fact, some criminals have become so intuitive to steal a quick buck that they are spoofing emails to ask unsuspecting colleagues to purchase gift cards and to send them the details to pass on to staff or clients as rewards or signs of thanks, which can’t be passed on in person due to social distancing, Honan says. “They ask for physical cards to be purchased rather than virtual ones, as the virtual ones can be cancelled quicker. The victim is asked to send pictures of the front and back of the card with the CVV number exposed so the criminal can use them themselves.”

The impact of business email compromise

There is no upper limit to how much havoc a BEC attack can cause for an organization. However, its purpose may not be limited to merely stealing funds, warns Jason Soroko, CTO at Sectigo. “On occasion, criminals might deploy sophisticated BEC attacks to gain access to competitive secrets, which they then sell to the highest bidder. Even worse, they could be deploying BEC tactics to gain entry into the system and plant malware, which might bring the entire system down, costing the company severe losses both financially and in terms of customer confidence and even compliance impact,” he says.

Business email compromise prevention

The financial and reputational damage that BEC attacks have the potential to inflict should serve as clear incentives for organizations to have effective preventative and mitigation strategies in place. For Chapman, this requires a two-pronged approach that combines advanced technology with employee education.

“Many organizations still rely on legacy technology such as secure email gateways or newer tools that rely solely on social graphing technology, both of which are inadequate in the face of highly sophisticated campaigns,” says Chapman. “Instead, organizations need human layer security solutions that are built on zero-trust models and use linguistic analysis, as well as machine learning and social graphing, to prevent the most advanced attacks.” He also recommends educating employees on the dangers of sharing data freely online, how to spot BEC attacks, and the latest tactics attackers are using.

Kafetz advocates the use of multi-factor authentication (MFA), especially across the types of key accounts BEC attackers tend to target. “MFA is relatively straightforward to implement and is an important control if user passwords are stolen,” he says. “Also, while it may sound antiquated, having manual processes in place to verify payment requests is another important safeguard that few companies enforce consistently. Since it’s not always immediately obvious to the recipient that a BEC communication is malicious, calling someone to confirm a payment or change in bank account details will immediately help to identify and shut down any attempted scam.”

Email signing is another technique that can prove effective against BEC attacks, says Soroko, because it clearly shows where the email actually came from and ensures that the content of the email hasn’t changed. “The technology behind email signing has come a long way in a short time and you need to learn how you can now utilize it in ways you couldn’t in the past,” he says, adding that training, while necessary, isn’t enough by itself. “That’s one of the reasons why a layer of security such as email signing is important, because it can be included in the training and become part of promoting safe behaviors.