The increasing prevalence of Business Email Compromise (BEC) attacks is costing businesses around the world billions. As these scams increase in sophistication, it’s more important than ever to have controls in place to safeguard against them.
Identifying, preventing and responding to BEC attacks should be a key consideration for all organisations, but doing so is easier said than done. Effective BEC risk management requires a layered approach encompassing robust perimeter controls, employee training, regular assessments and proactive network and endpoint monitoring.
What is Business Email Compromise?
A Business Email Compromise, sometimes referred to as a man-in-the-email attack, is a distinct form of phishing attack designed to trick individuals into diverting payments to an incorrect bank account.
The premise might sound simple, but these scams can take a variety of forms, often utilising sophisticated social engineering tactics to impersonate trusted contacts and manipulate employees, customers, contractors or partners.
Unlike traditional phishing scams, which are typically sent en masse, Business Email Compromise attacks are highly targeted, with attackers conducting extensive reconnaissance to make fake email requests appear as authentic as possible. This could involve monitoring company news or investigating supply chains and technology usage.
When instigating an attack, BEC scammers will seek to build victims’ trust by sending a sequence of emails, and will often use language that illicits an urgent response, encouraging behaviour that ignores normal protocols.
Types of BEC attack
Business Email Compromise scams can take multiple forms, and attackers are constantly thinking up new ways to conduct them, but five of the most common types of BEC attack are listed below:
One of the most prevalent BEC scams, where attackers pose as a senior executive, often a CEO or CFO, and send email communications to finance teams requesting an urgent wire transfer to an account they control.
Targeting organisations through the supply chain, attackers send emails purporting to be from a specific supplier requesting an update to payment details.
Similar to bogus invoicing, but specifically targeting salary payments. HR employees are targeted and encouraged to update banking details, resulting in BACs payments being fraudulently transferred elsewhere.
Often targeting employees at the end of working hours, attackers impersonate attorneys or other legal representatives and feign the confidential nature of their activities to pressure employees into making quick wire transfers.
An employee’s email account is hacked and used to make payment requests to vendors found in their contact base. These attacks can often remain undetected for a long period, resulting in multiple fraudulent payments.
BEC in the news
According to recent data from IC3, the FBI’s internet crime division, BEC attacks are now the costliest form of cybercrime. Losses from BEC scams have amounted to over $26 billion over the last four years, and between May 2018 and July 2019, they almost doubled.
Over recent years, several high profile BEC attacks have hit the headlines and catapulted the issue into national consciousness. One of the earliest major breaches took place in 2014, when electronic money transfer company Xoom experienced a 17% overnight drop in its share price after members of its finance department were duped into authorising almost £24 million in fraudulent payments.
In a similar 2015 attack, technology manufacturer Ubiquiti fell victim to an executive fraud scam, where over £35 million was transferred to fraudulent accounts. Despite extensive work to trace these funds, around £25 million was deemed unrecoverable.
Two of the most notorious BEC scams in history occurred in 2016. A £47 million CEO fraud scam hit Austrian aerospace manufacturer FACC, spawning a landmark legal case where the company sued its former CEO and CFO for failing to set up internal controls to prevent it. Another executive fraud attack on Crelan Bank in Belgium holds the record for a single business BEC attack – standing at just over £60 million.
No business is immune to BEC attacks, and cybercriminals are increasingly turning their attentions towards more than just large enterprises. In 2018, for example, Italian football club Lazio lost almost £2 million after an employee was duped into wiring a player’s transfer fee into a fraudulent account.
Defending against BEC attacks
The one characteristic that all BEC attacks have in common is that they prey on human error. People are almost always a weak link in the security chain, and BEC scams are specifically crafted to take advantage of this.
Very few BEC attacks distribute malware or contain malicious links and for this reason, they often easily evade traditional security solutions. Email filtering, validation and multi-factor authentication are all essential, but these measures alone are insufficient.
Security awareness training
A vital step organisations should take to reduce their risk of falling victim to BEC scams is to ensure all employees complete a programme of security awareness training. Employees need to understand the tactics commonly used by cybercriminals, the tell-tale signs of scams, and the risks associated with receiving and processing financial data.
Employees can avoid falling victim to BEC attacks by following a range of straightforward steps, including the following:
- Avoid oversharing information on social media platforms
- Check email domains against those from trusted contacts
- Look for font, logo and colour inconsistencies and spelling mistakes
- Establish robust authorisation processes including verbal consent
- Exercise caution when viewing condensed email views on mobile devices
- Learn customer and vendor habits and question any deviations
- View any unexpected emails requesting a money transfer with suspicion
- Use phone verification when updating any payment details
- Promptly share BEC samples with the National Crime Agency
Regular security testing
Adequate preparation is a vital part of any form of risk mitigation and this is no different with regards to phishing. Regular penetration testing should form a part of all organisations’ security strategy, but specialist phishing and social engineering assessments can also be performed to help gauge how well-prepared organisations are to prevent and respond to phishing attacks.
Phishing emails that are crafted using the same tactics as genuine cybercriminals are sent to a targeted set of employees. Those that fall for them are provided prompt feedback on what they did wrong, how they could have spotted it and what action to take in future should they be subjected to a genuine attack.
Proactive network and endpoint monitoring
With so many threats targeting businesses from email and other attack vectors, continuous network and endpoint monitoring is essential to ensure that breaches are identified and remediated before they cause financial and reputational damage.
A robust monitoring capability that tracks file modifications, account activity and other network behaviours across cloud, on-premise and hybrid environments can allow breaches to be identified in their infancy. With extensive network and endpoint visibility, fraudulently diverted funds can be tracked down, reported and recovered before it is too late.
An incident response capability can also help to facilitate root cause and kill chain analysis to identify how an attack occurred and propagated, as well as ascertaining its scope. Redscan recently conducted a similar incident response investigation for a company in the M&A insurance sector.
We utilise our deep understanding of offensive security to proactively identify, respond to and remediate threats. By working closely with our customers, we craft custom solutions to best meet their requirements and make tangible, lasting improvements to their security posture.