Business email compromise (BEC) attacks have not engendered the same level of notoriety as ransomware attacks but rank in combination as one of the most financially devastating and common types of cybercrimes against organizations. Many organizations are ill-prepared to address the threat of BEC and lack sufficient protections across people, process, and technology factors.
BEC attacks are a specific type of phishing attack. They rely on targeting (i.e., going after a specific person or role type in an organization) and normally seek monetary payment as a direct outcome. Types of BEC attacks include diverting payment on a valid invoice to a fraudulent bank account, submitting a fake invoice for payment, diverting employee payroll to a fraudulent bank account, and using impersonation of senior executives to lend credibility to plausible but irregular requests (i.e., paying a large sum to a new bank account to secure a merger or acquisition target). BEC also includes gift card fraud and romance scams. BEC types of attack have also been called man-in-the-email attacks, email account compromise (EAC), and wire fraud. Employees at all levels of an organization are targeted by BEC attacks.
BEC attacks differ from many other forms of cyberthreats, relying almost entirely on social engineering to trigger human susceptibility to plausible requests. Social engineering tricks include establishing rapport (pretexting), promising personal benefit, and invoking urgency. BEC attacks do not generally carry malware, include weaponized links, or seek to compromise email account credentials. By definition, BEC attacks rely on the compromise of business email—a normal and highly used channel for business communication—by inserting fraudulent email messages into a stream of regular ones.
Examples of different types of BEC attacks include:
• An impersonated email account
A threat actor finds out the name of the CFO at your organization from LinkedIn and registers a personal email account in their name with Google or Microsoft. Email messages can then be sent to your accounts department from your.CFOs.email@example.com, beginning with a plausible explanation, such as “I’m travelling and don’t have access to my corporate email, but could you please wire an urgent payment to XYZ Corp who we are trying to buy.”
• An impersonated domain
A threat actor registers a domain name that looks like the domain name of the targeted company or one of their trusted vendors. While the text of the domain is clearly different, many people miss the subtle differences in lookalike domains—microsoft.com versus microsofl.com or amazon.com vs amazom.com. Lookalike domain name variants are hard to spot with only a cursory glance and it is unsurprising that people regularly miss the differences.
• A compromised email account (the EAC variant of BEC attacks)
A senior executive at a vendor company is the victim of a phishing attack that results in the compromise of his or her email account credentials. Until the credential compromise is detected, the threat actor can send email messages impersonating the senior executive—such as new messages requesting payment to a different bank account or re-submitting invoices already sent with new payment details. For organizations using Microsoft 365 or Google Workspace for email, the compromise of account credentials also gives access to the user’s documents in OneDrive/SharePoint or Google Drive, which can include invoices or invoice templates that can be altered before sending.
A study shows 67% of Indian IT teams associate phishing with emails that falsely claim to be from a legitimate organization and are usually combined with a threat or request for information. Around 61% consider Business Email Compromise (BEC) attacks to be phishing, and half of the respondents (50%) think threadjacking—when attackers insert themselves into a legitimate email thread as part of an attack—is phishing.
On the positive side, most organizations in India (98%) have implemented many cybersecurity awareness programs to combat phishing using computer-based training programmes, human-led training programmes and phishing simulations as tools.
Outlook towards BEC
Being able to merely ask for funds has proven to be a financially lucrative strategy for cybercriminals to earn a fast payback for their malicious deeds. Social engineering requests for funds bypass the need to develop malware, keyloggers, ransomware, and other examples in the cyberthreat arsenal. A look at how BEC is expected to change over the next few years:
- Low readiness across many dimensions- Organizations lack strong confidence in their ability to safeguard funds after a BEC attack or to achieve discovery and recovery outcomes. Traditional technology solutions that are currently deployed are viewed as ineffective in stopping BEC attacks from getting through to the key people and groups targeted by many BEC attacks.
- Reliance on ineffective tools that cannot address BEC attacks- Many organizations claim that several cybersecurity solutions and approaches are highly effective against BEC attacks and yet indicate low confidence in the ability of their currently deployed traditional solutions to protect against BEC attacks. There appears to be a misplaced reliance on more general cybersecurity solutions that by design are not intended to protect against BEC threats, such as anti-malware tools and secure email gateways that analyze links and attachments for evidence of malicious code.
- Low confidence in enlisting help from law enforcement- Only half of the organizations have high confidence in their ability to enlist help from law enforcement agencies after succumbing to a BEC attack (whether this is an accurate assessment or misplaced confidence is questionable). If law enforcement agencies are unwilling to help with lower-value BEC attacks— which will often be the case given insufficient staffing for the volume of incidents—then organizations are left to their own devices to fend off attackers leveraging BEC attacks for quick financial gain.
- Low confidence to receive insurance coverage for BEC losses-Most organizations are not confident in their ability to secure insurance coverage for losses due to a BEC incident. In the wider context, insurance coverage is increasingly difficult to secure, especially due to the growing incidence of costly ransomware attacks.
Best Practices Against BEC Attacks
- Prioritizing protection against BEC attacks : Organizations firstly need to priorities and implement solutions to protect BEC attacks
- Strengthening effective protections : Many of the traditional technology protections and financial process designs organizations use against BEC threats fail to inspire confidence in their ability to identify and prevent BEC threats from becoming costly incidents. Organizations need to strengthen protections that are currently ineffective
- Increased employee preparedness : Individuals in a small range of job roles are likely to be targeted by a disproportionate share of BEC attacks because they are high-value targets for a threat actor. This includes employees who have authorization to change bank account details for vendors, and employees or managers who can approve invoices for payment. Accounts and identities belonging to senior executives are also of high value for initiating attacks with higher-value compromise. On the other hand, smaller BEC attacks can be initiated against any manager or employee with a corporate credit card, e.g., the gift card BEC scam where an employee is asked to buy gift cards on behalf of a manager and send the gift card numbers by email. Not providing targeted training on BEC threats increases the likelihood of BEC attacks being successful, and in some cases, the lack of training has shifted the balance of blame from the employee to the employer
- Building a culture of support on confirming requests with executives : It is important that the corporate culture of an organization does not magnify the problem of BEC. For example, if senior management discourages any sort of pushback on their orders, a CFO or HR clerk might be less likely to question a request for a wire transfer or provision of confidential records received in a BEC attempt purporting to come from the CEO. Building the cultural support for assessing the validity of messages that could be valid or a BEC attack includes designing strong financial to safeguard funds, reduce fraud and thus establish normal operating parameters for an organization.
- Robust organizational processes to combat invoice frauds:Organizations today are taking several actions to harden processes for activities such as changing bank account details for invoices due, internal multi-person review for any changes, disallowing the use of email for changing bank account details and approval via phone call or SMS to a pre-agreed number for the other party.
- Harden organizational processes for Employee Payroll: Organizations have also hardened processes for changing bank account details for employees. Approval of a change by phone call or SMS to a pre-agreed number for the other party is becoming the most commonly used approach when dealing with vendors. Organizations today are talking mixed actions to harden employee payroll processes.
BEC is a costly cyberthreat for organizations around the world, and many are ill prepared with their current people, process, and technology posture to fend off attacks. Many organizations appear to be relying on technology that was not designed to identify and protect against BEC attacks, have people who lack training to recognize and counteract BEC threats, and use weak processes that enable BEC threats to become incidents. Except for BEC incidents at the more costly end of the spectrum, confidence in securing help from law enforcement is low, and gaining insurance coverage for losses is equally problematic. Organizations need to take urgent action to strengthen current processes targeted by BEC, deploy new technology that specifically identifies and neutralizes BEC attacks, and elevate preparedness of executives, managers, and employees to stop BEC in its tracks.
The article has been authored by Debasish Mukherjee: Vice President, Regional Sales APAC at SonicWall Inc.