Business Email Compromise Threats Soar Past Phishing Risks

The risk of business email compromise (BEC) is increasing annually and is estimated to be twice as severe as the overall threat of phishing, according to an Osterman Research/IronScales survey of 249 U.S.-based IT and security professionals.

In the past 12 months, more than 93% of organizations encountered one or multiple forms of BEC attacks, while 62% were targeted by three or more variants during that time period.

The survey revealed that among the most prevalent forms of BEC attacks are fraudulent invoicing, data theft and account takeover (ATO).

Within the last year, around 20% of organizations fell victim to one or more of these BEC attack types, while 66% encountered three or more variations. Data theft attacks were the most frequent type of BEC attack.

The Growing Business Email Compromise Threat

Patrick Harr, CEO at SlashNext, explained there are a few factors that are contributing to the growing BEC threat.

“There have been a number of very large data breaches that have resulted in stolen credentials and compromised accounts, and some of these compromised accounts are small vendors and organizations that might not know they’ve been breached,” he said.

Now, cybercriminals can use these legitimate accounts or domains to launch attacks that will bypass most phishing detection.

He added that BEC attacks have become very sophisticated; victims are distracted, moving fast and can’t always tell if an email is malicious.

“Combine these factors with automation and AI; now these BEC attacks can be customized in volume and adapt with incredible speed,” Harr said.

Cybercriminals create elaborate fake profiles, fake blogs, email accounts and multiple different fake profiles on social media to trick their victims. Once they identify a target, they will begin to add the potential victim’s friends and colleagues, share, like and comment on content to create the illusion of being a real person to build trust and rapport.

Haar pointed out that the activity and mutual connections make the victim more likely to participate in a social media request, SMS or direct message request.

Mika Aalto, co-founder and CEO at Hoxhunt, said IT security professionals must break down the siloes surrounding employees, security teams and technology to enhance their protect-detect-response capabilities.

“Start with your people—because that’s literally what the attackers are doing—and put them in the center of the stack,” he said.

He explained that employees are the eyes and ears of your organization, and integrating human threat detection into the security system will increase visibility into your threat feed and accelerate response to BEC attacks.

“Technology plays a critical role in securing an organization’s infrastructure, but employees and security teams must have the capabilities in place to improve security behavior and augment threat detection and response with human intelligence,” he added.

Feels Like Phishing

Jim Kelly, RVP of endpoint security at Tanium, pointed out that BEC is, essentially, just a different type of phishing with very similar anatomy.

“What makes it different is the reliance on human error,” he said. “From being duped by social engineering to a lack of attention during work or a gap in security awareness, mistakes and distractions are at the heart of BEC attacks.”

He explained the goal of criminals is to make communication seem official in hopes it will be easily overlooked among legitimate correspondence.

From Kelly’s perspective, diligence and awareness are key to thwarting BEC.

“A regular cadence of security training, complete with various exercises to keep employees sharp when it comes to spotting fraudulent messages, is a must,” he said. “It is also important to ensure that systems are regularly updated and patched to keep IT and security systems functioning properly in an attempt to mitigate malicious files from the outset.”

Aalto noted the lines between home, office and social life have irreversibly blurred with the rise of remote work and social media.

“After identifying a target, social engineers can deploy a BEC campaign through a number of channels, be it a simple SMS or a more complex social media connection,” he said. “Be it a LinkedIn invitation or a swipe-right on a dating site, social media connections can lower skepticism and raise trust.”

Attackers might also time a targeted SMS message to an executive’s schedule so that it is relevant to, and coincides with, an event they are attending. These tactics are effective because they are often perceived as more personal and legitimate than traditional email-based attacks.

“It is important for organizations to train employees to be wary of any unsolicited requests, regardless of the communication method,” Aalto said.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 242 posts and counting.See all posts by nathan-eddy