Business Email Compromise has long been a part of our online presence. Phishing email scams such as spear-phishing or whaling are present in our lives, posing different threats through various strategies.
While many exist merely to siphon information, most email scams also deploy malware and ransomware campaigns. The motive remains the same: to steal information and gain a monetary advantage no matter the process.
Many organizations have sought protection through cybersecurity professionals and various security tools such as anti-malware or anti-phishing tools. However, the problems remain constantly rising as criminals work to modernize and upgrade existing cyber threats.
What is Business Email Compromise?
A Business Email Compromise is also known as the man-in-the-email scam. A threat actor carries out this attack motivated by monetary gain and to steal information. The information is then often sold over the Dark Web or used in future strikes.
BEC exploits corporate emails and then further uses social engineering tactics to defraud the company by tracking its partners, employees, and clients into sending information or money to the attacker’s account.
There is no specification on who the threat actor would impersonate or target. However, primarily the people in power become vulnerable to such attacks, such as CEOs, CTOs, legal or accounts payable professionals. The reason is that hacking into a senior member of the company gives access to a large pool of prey.
Since BEC attacks use social engineering tactics, detecting and preventing them is relatively complex, leading to a significant rise in their occurrence. Within 2020 alone, BEC attacks caused a loss of nearly $1.86 billion, an increase from the previous $1.29 billion loss in 2018.
How does Business Email Compromise work?
Since the threat actor launches Business Email Compromise attacks merely through social engineering, it doesn’t require sophisticated tools. Depending upon the target and the level of motivation, the attacker plans his attack accordingly, which is why this attack occurs in various ways such as:
- Exploiting trusted relationships with vendors, partners, or employees.
- Replicating the usual corporate workflow such as sending emails impersonating a common app asking users for access or more payments.
- Using social engineering tactics that convey urgency, authority, or familiarity to induce a quick response.
While these are some of the known tactics of carrying out a BEC attack, the typical structure of executing this attack involves the following steps:
Step 1: Identifying and thoroughly researching the target
Since BEC focuses on stealing information and money, it targets employees or executives that have access to sensitive information or are responsible for making payments on behalf of the organization. The threat actor then runs reconnaissance on the pacific target through various platforms such as the deep web, social media platforms, and other websites. Along with gathering information on the target, they also collect information on the organization.
Step 2: Setting up the attack
Once the information gathering is complete, the attackers proceed with the attack. Unlike a typical phishing attack, BEC attacks happen with a more targeted approach. The chances of failure remain minimal since the attacker launches the attack by spoofing email addresses, creating similar domain names, impersonating trusted vendors, or even taking over the legitimate email account of the target altogether.
Step 3: Executing the attack
The attacker executes the attack using persuasion, urgency, or authority to gain the victim’s trust. The process can either occur entirely within one email or continue through an entire thread. The threat actor remains careful of the details and provides seemingly legitimate reasons for wire transfers to fraudulent accounts or access to sensitive information.
Step 4: Dispersal
Once the threat actor manages to carry out the attack successfully, it works to hide tracks. It often involves transferring the stolen data in secure encrypted vaults. If it is money, the threat actor might disseminate it across several accounts to avoid traceability and chances of retrieval.
What are the main types of BEC attacks?
Although Business Email Compromise attacks also mimic man-in-the-middle attacks, BEC is typically phishing. It relies on social engineering tactics. To be more precise, the BEC attacks are a form of whaling or spear-phishing attacks depending upon the target and the reconnaissance phase.
While classifying it as a spear-phishing or a whaling attack is a generalization, BEC has four specific shapes, as defined by the FBI:
The attacker exploits the organizational hierarchy and often carries out the attack impersonating the CEO. The email would target another managerial position or some partner requesting information or wire transfers to specific accounts.
Impersonating an attorney
Requests from a legal representative or a lawyer are often hard to validate, and since such legal representatives are often trustees, there is little hesitation in adhering to their requests. An attacker exploits this relationship between the organization and its legal representative bodies or lawyers to steal time-sensitive information.
False invoice scams
This attack uses the organization’s relationship with a trusted vendor. The attacker masquerades as a vendor or a supplier and uses a seemingly legitimate invoice or template with different account credentials to steal money. The changed bank account credentials closely resemble that of the supplier or vendor to avoid suspicion.
With hacking into the account of an unsuspecting employee, the attackers might use this access to change invoice details to customers and have money transferred into fake accounts managed by the attacker.
How to protect against BEC?
BEC attacks can be costly and damaging to the organization’s reputation and integrity. While they are undoubtedly hard to mitigate, a few safety measures and precautions against BEC attacks can significantly improve an organization’s security posture. Organizations can ensure security using some of the following methods:
Since BEC is a phishing attack, anti-phishing protection tools or solutions are excellent to mitigate them. Through machine learning and analysis, these tools exist to look for suspicious emails and telltale signs of a phishing attack. Within an email, they look for all the possible red flags like reply-to email addresses that don’t match the sender language or signs of authority and urgency within the email that might indicate an attack.
With BEC attacks occurring through compromised accounts and hack attacks, a solution ensures secure account protection. Integrating multi-factor authentication is a one-step and straightforward solution to eradicate compromised accounts. The multi-tier authentication system, relying on personalized authentication methods such as biometrics or OTPs, helps validate an account access request. If anyone has a compromised password credential, the second or the third authentication layer can ensure protection.
Like every social engineering attack, BEC attacks deploy urgency and authority within emails urging employees to take high-risk actions such as sending significant sums of money without authentication. A solution is to educate employees on social engineering tactics to better identify and respond to phishing simulations.
Labeling external emails
BEC attacks impersonate an employee or partner within the organization. These attacks mimic internal email addresses through techniques like domain spoofing or by using look-alike domains. A simple solution is to merely configure email programs to label emails from outside accounts as” external.” With this, the target won’t fall victim to the social engineering tactic even with domain spoofing.
Cybercriminals are forever on the rise to look for innovative ways for launching cyber attacks. Business Email Compromise is becoming a common occurrence that merely exploits an individual’s lack of knowledge and awareness.
Right-Hand identifies this as a significant issue and presents a set of solutions that cover phishing detection, identification, and response. Organizations can then provide more than technological barriers with high effectiveness but still let attacks slip through the cracks.