Business Email Compromise: Low-Tech, High-Impact Threat
One of the least technologically sophisticated cyberattacks, business email compromise (BEC), is also one of the most damaging. According to the FBI’s Internet Crime Complaint Center (IC3), there were 241,206 business email compromise incidents between 2016 and 2021, with combined global business losses of $43,312,749,946. In its 2021 internet crime report, the FBI cited BEC as the top internet crime in terms of victim loss for the seventh year in a row, totaling almost $2.4 billion in 2021. That was about a billion dollars more than the second-ranked crime.
The low-tech social engineering approach of creating and executing BEC attacks is what also makes it so difficult to prevent. BEC attacks rarely make use of the malicious URLs or malware-infected attachments that traditional signature-based cybersecurity tools such as antimalware, IPS and secure email gateways look out for.
Instead, in a typical BEC attack, the threat actor leverages highly targeted phishing strategies—AKA spear phishing—to impersonate a legitimate business email account. The goal is to convince the victim that the attacker’s email comes from a trusted source, whether inside the company, a supplier or a partner. The attacker then exploits the victim’s trust to defraud the victim’s organization.
The FBI cites the following categories of BEC attacks:
CEO fraud: The attacker impersonates the organization’s CEO and urges a finance department or other employee to transfer money to external accounts the attacker owns.
Account compromise: The attacker hacks an employee’s email account and uses it to request payments to fake company vendors.
Invoice fraud: The attacker uses stolen credentials to hijack a vendor’s email account or uses email spoofing to notify the victim of an “updated” vendor address to send payments. In 2019, Griffin City, Georgia lost $800,000 to a BEC scammer impersonating its supposed water treatment facilities contractor. The attacker included authentic-looking electronic invoices with accurate project and cost information.
Attorney impersonation: The attacker impersonates a lawyer or other legal representative. Sometimes the attack impersonates the executive first, who warns of a time-sensitive or confidential transaction involving the company’s attorney. Another email follows the supposed attorney requesting the wire transfer.
Data theft: Money is not always the goal of a BEC. In this type of attack, the perpetrator might target human resources or bookkeeping employees to obtain sensitive information about CEOs or other high-level employees they can use for a future BEC attack.
The targeted phishing BEC exploits are particularly effective because, in many cases, the attacker has done extensive planning and research to make its fake emails look very authentic. While typical phishing attacks only have an employee click rate of about 2.9%, according to Verizon’s 2022 Data Breach Investigations Report, targeted spear phishing emails have a successful click rate of about 70%, according to FireEye.
The Proof is in the Pudding
The success of these attacks is reflected in the high-profile organizations they have defrauded, many of which have very sophisticated cybersecurity infrastructures and strategies.
The most infamous BEC attack targeted tech giants Facebook and Google from 2013 to 2015, resulting in losses of $123 million. The primary attacker, Evaldas Rimasauskas, set up a fake Latvian-based computer company called Quanta Computer, the same name as the well-known Taiwan-based manufacturer Facebook and Google had purchased data center equipment from. The attack used fake invoices and counterfeit lawyers’ letters and contracts to convince Facebook and Google to send money to attackers’ bank accounts and convince the banks to accept the transfers.
An IT company, Ubiquiti, lost $46.7 million in August 2015, thanks to fake emails sent to its finance department from an impersonated partner.
Even as late as 2019, when BEC compromises and techniques were widely known, a European Toyota subsidiary lost $37 million in one shot from a BEC attack. Amazingly, this was the third BEC attempt at Toyota that year and it still managed to succeed. Apparently, a $37 million payment was not all that unusual for a large company like Toyota.
BEC Attack Stages
What makes BEC so successful is a combination of low-tech strategies and very patient company and employee research. BEC hackers spend anywhere from weeks to years researching their victims and planning the best time and methods for an attack, sometimes taking advantage of a major company business deal to inject a sense of urgency that the deal may not happen unless the victim cooperates.
Step one: Research
The attacker finds information about the victim through LinkedIn, other social media and/or data sources such as business email databases.
Step two: Spear phishing
The attacker spoofs an executive’s email address with a slight misspelling, such as [email protected] or [email protected], instead of [email protected], or gains control of a legitimate account through credential theft and send emails from there. Phone calls are also sometimes part of this campaign. Over the course of hours, days, or weeks, the attacker employs pressure, persuasion, or both to convince the victim to do what they want them to do.
Step three: Information exchange
Once the attacker convinces the victim they’re dealing with a legitimate transaction, they send the victim the illegitimate wiring or other information.
Step four: Funds transfer
The funds are sent to an account controlled by the attacker.
Interestingly a new variation of BEC takes advantage of the work-at-home and virtual meeting explosion resulting from the COVID-19 pandemic. Attackers request funds transfers through Zoom or other virtual meeting platforms using a photo of the CEO or other high-ranking employee and deepfake audio, or simply use a virtual meeting to acquire valuable information about the company and staff for a future attack. The attacker may also claim to be in a virtual meeting and, therefore unable to accomplish a time-sensitive fund transfer by themselves. BECs have also been targeting alternative messaging platforms such as Slack and GroupMe.
How to Protect Yourself Against Email Attacks
Organizations can take several low-tech measures to protect themselves from these threats, including a low-tech version of multifactor authentication.
• Company policy should require any email-requested account and address changes to be followed by direct phone contact with suppliers or vendors to verify the request using the phone number on record. Never use a contact number in a fabricated email.
• Employees should be trained to carefully scrutinize sender email addresses for subtle misspellings.
• To prevent credential compromise, executives should employ multifactor authentication to sign in to their email accounts.
• Employees should consider carefully what they share online about their job and the organization they work for, including job duties and descriptions and corporate hierarchy information.
• Be alert to any subtle changes in vendor procedures that may indicate impersonation and any pressure by anyone in or out of the organization to act quickly on a transaction or bypass normal channels.
Finally, there are email protection solutions that offer innovative technologies, including machine learning and sender and reply address mismatches, to detect email anomalies that may indicate a BEC attempt.
BEC is so successful that it will likely be around for a long time. Make sure your organization and its employees are educated and ready to take the measures necessary to prevent the huge business losses successful BEC attacks can create.
