Despite a 25-year history, Business Email Compromise (BEC) remains a highly utilized and successful phishing attack. So successful that the methodology is used by cybercriminals and intelligence operators alike.
It is identified as one of the most financially damaging online crimes and despite the years these attacks can cost companies hundreds of thousands of dollars, on average.
A recent Anti-Phishing Working Group (APWG) report found that the average loss of a wire transfer BEC attack was $80,183 in the second quarter of 2020 — a 32% increase compared to the first quarter of 2020 .
Cybersecurity professionals are familiar with what BEC attacks aim to achieve — financial leverage and monetary gain but also reputation damage — there is a greater phishing attack lexicon to render the sector of attacks confusing and difficult to categorize but for this discussion, I will stick with the primary definition.
To quote Sun Tzu … “If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Company Financials – A common attack methodology
BEC attacks begin with phishing emails meant to entice a recipient to conduct a task under the guise of a legitimate business activity. What makes them so effective is that the email commonly appears to come from a trusted sender, such as an authority figure.
Typically, the cybercriminal will ask for some form of monetary payment or to enter credentials to steal employee personally identifiable information or sensitive company data, such as wage or tax forms, Social Security numbers, and bank account information.
There are two general buckets that BEC attacks fall under
Spear-phishing
Social engineering attacks
Maybe they are employee availability checks, requests for unspecific tasks, gift card requests, and solicitations for direct deposits, payments, and bank details.
These emails contain no malicious links or attachments, so they bypass traditional secure email gateway protections, which are not capable of blocking emails because of the text they contain.
The three most common type of BEC attacks:
C Level Targets
Often, there can be crossover here into social engineering attacks, which use psychological manipulation to trick people into divulging confidential information or providing access to funds.
C level focused phishing emails are social engineering, but they sometimes can be spear-phishing attacks (that is, the attacker spoofs the CEO asking an employee to download a file).
Account Compromise
Account takeovers may not be seen as destructive as ransomware or malware attacks, but they can cause huge financial loss to companies.
Then criminals often lurk for months undetected in the back end of systems, learning communication patterns they can later exploit. This ecosystem is clearly still extremely vulnerable to hacking and phishing attacks, leaving a ripe opening for cybercriminals to abuse.
False Invoice Scheme
These attacks commonly target someone who works in a business’s financial department, such as an accountant.
Knowledgeable attackers will alter a legitimate invoice’s bank account numbers but leave the rest of the invoice unchanged, making it difficult to detect that it is fraudulent.
As a former Intelligence Specialist, I have learned that tossing technology as a solution isn’t going to be as effective as you may think when it comes to correcting user behaviour.
Companies have to make a long-term investment in training. It’s not possible to simply write a check for a new piece of technology and apply a fix. Obtaining results takes several months, even years, of consistent user and cybersecurity training.
Merely offering training videos or reading material isn’t sufficient: employees should expect monthly or quarterly phishing and vishing tests, and organizations then should keep metrics on how employees perform on those every several months.
Do you have any of these problems for your business?. Share them in the comments below.
