• About Us
  • Services
    • Digital
      • Product Engineering
        • App Development
        • Legacy Transformation
        • Maintenance & Support
        • COTS Customization
      • UI/User Experience
      • Quality Assurance
      • RPA
    • Cloud
      • Cloud Native
      • Cloud Migration
      • Cloud Consulting
        • Cloud Strategy
        • Cloud Enablement
      • DevOps
    • Data
      • Data Engineering
      • Data Science
      • Data Visualization
    • Security
      • Security Assessment
      • Threats & Vulnerabilities
      • Data Security
    • Staffing
  • Accelerators
    • Magescan
    • Xprt.ai
  • Insights
  • Industries
    • Energy & Utilities
    • Healthcare
    • Transportation & Logistics
    • Manufacturing
    • Banking & Finance
    • Insurance
    • Retail
  • Contact Us
Contact Us

Business Email Compromise (BEC): Old wine in new bottle

Security | 0 comments

Despite a 25-year history, Business Email Compromise (BEC) remains a highly utilized and successful phishing attack. So successful that the methodology is used by cybercriminals and intelligence operators alike.

It is identified as one of the most financially damaging online crimes and despite the years these attacks can cost companies hundreds of thousands of dollars, on average.

A recent Anti-Phishing Working Group (APWG) report found that the average loss of a wire transfer BEC attack was $80,183 in the second quarter of 2020 — a 32% increase compared to the first quarter of 2020 .

Cybersecurity professionals are familiar with what BEC attacks aim to achieve — financial leverage and monetary gain but also reputation damage — there is a greater phishing attack lexicon to render the sector of attacks confusing and difficult to categorize but for this discussion, I will stick with the primary definition.

If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle
- Sun Tzu

Professionals who are responsible for email threat mitigation, there are several clear instances of BEC attack techniques you should know.

To quote Sun Tzu … “If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Business Email Compromise (BEC): Old wine in new bottle

Company Financials – A common attack methodology

BEC attacks begin with phishing emails meant to entice a recipient to conduct a task under the guise of a legitimate business activity. What makes them so effective is that the email commonly appears to come from a trusted sender, such as an authority figure.

Typically, the cybercriminal will ask for some form of monetary payment or to enter credentials to steal employee personally identifiable information or sensitive company data, such as wage or tax forms, Social Security numbers, and bank account information.

Contents

  • There are two general buckets that BEC attacks fall under
    • Spear-phishing
    • Social engineering attacks
  • C Level Targets
  • Account Compromise
  • False Invoice Scheme

There are two general buckets that BEC attacks fall under

Business Email Compromise (BEC): Old wine in new bottle

Spear-phishing

Business Email Compromise (BEC): Old wine in new bottle

Social engineering attacks

Maybe they are employee availability checks, requests for unspecific tasks, gift card requests, and solicitations for direct deposits, payments, and bank details.

These emails contain no malicious links or attachments, so they bypass traditional secure email gateway protections, which are not capable of blocking emails because of the text they contain.

The three most common type of BEC attacks:

C Level Targets

Business Email Compromise (BEC): Old wine in new bottle

Attackers will pose as a company executive or other company director to fool any level of the employee into executing unauthorized wire transfers or sending out confidential tax information.

Often, there can be crossover here into social engineering attacks, which use psychological manipulation to trick people into divulging confidential information or providing access to funds.

C level focused phishing emails are social engineering, but they sometimes can be spear-phishing attacks (that is, the attacker spoofs the CEO asking an employee to download a file).

Account Compromise

Business Email Compromise (BEC): Old wine in new bottle

One of the biggest goals for cyberattacks is account takeover. This is one of the most devastating forms of BEC attacks and involves using phishing emails to hack an executive or employee account and then uses those qualifications to request invoice payments to vendors.

Interestingly, this dovetails with reports that more than 56% of organizations reported falling victim to a breach caused by a vendor.

Account takeovers may not be seen as destructive as ransomware or malware attacks, but they can cause huge financial loss to companies.

Business Email Compromise (BEC): Old wine in new bottle

They also almost always start with a social engineering attack, asking recipients for unspecified tasks or for compromising information.

Then criminals often lurk for months undetected in the back end of systems, learning communication patterns they can later exploit. This ecosystem is clearly still extremely vulnerable to hacking and phishing attacks, leaving a ripe opening for cybercriminals to abuse.

False Invoice Scheme

Business Email Compromise (BEC): Old wine in new bottle

The false invoice scheme involves using phishing emails to impersonate the accountant, the vendor, or both. These techniques work in other prominent billing schemes, such as creating shell companies or making fraudulent purchases with organizational funds.

Business Email Compromise (BEC): Old wine in new bottle

The FBI lists false invoice schemes as one of the top five major types of BEC scams.

These attacks commonly target someone who works in a business’s financial department, such as an accountant.

Knowledgeable attackers will alter a legitimate invoice’s bank account numbers but leave the rest of the invoice unchanged, making it difficult to detect that it is fraudulent.

The possibilities from there are numerous: Some attackers increase the payment amount or create a double payment, among many strategies.

According to a survey by Trend Micro just over 45 per cent of targeted individuals carried the title of CEO. The next most frequently targeted titles were Managing Director (9.7%) and CFO (4.8%). The attack has spanned a wide range of industry sectors, including manufacturing, real estate, finance, government and technology, and nearly 74% of businesses known to be targeted were located in America.

As a former Intelligence Specialist, I have learned that tossing technology as a solution isn’t going to be as effective as you may think when it comes to correcting user behaviour.

Companies have to make a long-term investment in training. It’s not possible to simply write a check for a new piece of technology and apply a fix. Obtaining results takes several months, even years, of consistent user and cybersecurity training.

Merely offering training videos or reading material isn’t sufficient: employees should expect monthly or quarterly phishing and vishing tests, and organizations then should keep metrics on how employees perform on those every several months.

Do you have any of these problems for your business?. Share them in the comments below.

Related Posts

Log 4j’ Fatal Security loophole…Most Internet Servers are at Risk

A critical security vulnerability found in software widely used in most Internet server has raise...
Read More >>

Digital Revolution Contributing to A Rise in Cybersecurity Threats

Cybersecurity is umbrella term, that encompass methods and practices, used to protect a critical .….
Read More >>

Is fiscal planning for 2021 already disrupted?

Cybercriminals are now focused on keeping up pressure on home office, mobile workers spikes attacks…
Read More >>

Cybersecurity and Internet of Things (IoT) – Is it 1984 Yet?

Always connected devices are everywhere & large component of lives, commonly people think digital ….
Read More >>

“Next-generation” 3rd Party Attacks

In the past attacker simply utilize existing vulnerability with well- used open- source components …
Read More >>

Business Email Compromise (BEC): Old wine in new bottle

Despite a 25-year history, Business Email Compromise (BEC), remains a highly utilized and attack. ….
Read More >>

Charity Phishing

Cybercriminals love the holidays from social media platforms phishing has turned to digital social …
Read More >>

Explaining Cybersecurity to the C Level

Defining a new requirement placed on organization by the pandemic response may leave a completely ..
Read More >>

Submit a Comment Cancel reply

You must be logged in to post a comment.

Topics

  • Digital
  • Cloud
  • Data
  • Security

Industry

  • Energy & Utilities
  • Healthcare
  • Transportation & Logistics
  • Manufacturing
  • Banking & Finance
  • Insurance
  • Retail

Content Type

  • Blogs
  • Case studies
  • Infographics / Videos
  • Webinars

11380, Southbridge
Pkwy, Alpharetta, Georgia,
USA.

903/50 Clarence St,
NSW 2000, Sydney,
Australia.

201, Q- HUB,
Madhapur, Hyderabad,
India.

Privacy Policy
Terms and Conditions
© 2022 Sparity Inc.

Privacy Policy
Terms and Conditions
© 2021 Sparity Inc.

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. By clicking “Accept”, you consent to the use of all the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT