Are Organisations Underestimating the Threat of Business Email Compromise?
June 2023 by John Wilson, Senior Fellow, Threat Research, Fortra
Ransomware is often positioned as the most immediate cyber security threat to businesses, but organisations shouldn’t underestimate the challenges that business email compromise (BEC) attacks present.
This rings even more true with Microsoft reporting that 35 million BEC attempts were detected in the last year, with no tactic being more popular than email impersonation, contributing to over 97% of attacks reported in Q4, 2022. More recently, Fortra also released its BEC report which revealed that so far in 2023, the volume of nefarious emails impersonating enterprises has reached a crescendo. According to the research, email impersonation threats such as business email compromise (BEC) make up nearly 99% of inbox threats reported by end users. What’s more is that credential theft attacks are back on the rise, proving that malicious actors remain in search of sensitive information such as usernames, passwords, and credit card numbers — all of which could harm the bottom line and brand reputation.
It’s no secret that cyber-attacks can happen to any business, and we should all be suspicious of messages from unfamiliar senders appearing in our email inboxes. But surely, we can feel confident in email communications and requests from our organisation’s executives and fellow coworkers, right?
The short answer: Not always
The reason is the rise in BEC campaigns. This type of targeted phishing or whaling (executive-level) attack tricks email recipients into believing someone they know and trust is asking them to carry out a specific financial task. Here are a few examples of how these insidious campaigns use the power of human relationships to defraud businesses via email:
Example 1: A CFO receives an urgent email request from the CEO asking them to pay a supplier invoice immediately. Having carried out such tasks previously, without hesitation the CFO arranges a wire transfer using the account information provided on the invoice. In actuality, the request comes from a BEC fraud ring, and the payment details direct the funds to an account controlled by the attackers. This is also referred to as payment diversion fraud.
Example 2: An HR benefits manager receives an email from the department VP asking them to purchase gift cards for a new employee rewards program. The email specifies that the HR manager should include the codes associated with each card, which the scammer, behind the scenes, then sells online for cash or cryptocurrency.
Example 3: An accounts receivable rep receives an email from a c-suite executive asking for the company’s most recent aging report. The rep complies and now the attacker has a list of customers who owe the company money – telling them how much the customers owe, when the payments are due, and the terms. The attacker also has the rep’s email signature and can easily create a look-alike domain, then contacts each customer on the report explaining that all future payments should be sent to a new bank account.
Criminals are Optimising Tactics to Increase Success
While the fundamentals of BEC attacks have largely remained the same, campaigns are becoming harder to spot because the perpetrators continue to do their homework.
Many attackers have shifted to leverage social engineering tactics and information gleaned from websites and social media profiles to determine employees’ working relationships and connections. They can also include personal details in messages, so the recipient doesn’t think twice about the message or request.
In the fast development of artificial intelligence over recent years, especially with the emergence of generative AI such as ChatGPT, criminals have begun using these resources to conjure up smarter and more successful emails to trick their victims. Criminals will revamp old campaigns to make them appear more legitimate, from the formatting to the language, to the type of request being made.
Fraudsters prey on the target using a killer combination of trust, authority, and urgency. Businesses large and small can be the target of a BEC campaign because at the end of the day, most of us are trusting souls ready to help others. We would never expect someone we know and work with to scam us, much less defraud our organisation.
BEC Attack Prevention
As with any type of cyber-attack, prevention is the best strategy. Employee awareness training is an important first step, which can include simulation so employees can learn to spot phishing or whaling exploits before blindly completing requests or clicking on links.
DMARC email authentication is also helpful to prove the sender is legitimate, and two-factor authentication (or multi-factor authentication) can reduce the risk an email account is compromised. Likewise, as these scams typically seek a transfer of funds, tighter accounting controls to verify legitimacy are crucial, as are identity-based phishing defenses that can recognise BEC in its varied forms.