Of all of the varieties of phishing attacks, the ‘business email compromise,’ or BEC, presents the most significant threat to companies, overtaking ransomware and data breaches. This information was revealed by insurance giant AIG in July of this year, as it was announced that BEC attacks accounted for nearly a quarter of all claims that the company received in 20181. Also called CEO fraud, the attacker mimics a higher authority figure, such as a top executive in the company, to dupe the employee into transferring money to a fake account or else sending information that is sensitive or classified.
Unlike phishing attacks which are random in nature and may target several people with the same email, BECs are aimed at a specific staff member, usually one responsible for financial transactions. As such, the attacker will first do as much research on the company as possible, finding out the names of the CEO or CFO and the staff member they wish to deceive. Other victims can include attorneys or even customers. Social engineering plays a huge part in the success of the BEC scam: employees tend to obey their bosses without question, fearing either reprisal if they don’t, or anticipating rewards if they do well. The other element required for a BEC attack to work well is to impart a sense of urgency – that the task has to be done so quickly there is no time to seek a second opinion or to question the boss on the matter.
The spoof email sent to the employee supposedly from someone higher up will look so convincing that the employee usually doesn’t think twice about complying. This is what makes these attacks so dangerous. The research done by the attackers can be so detailed that they will even time the request to a day when the boss is away from the office, using a ‘sent from my iPad’ or similar to get around the need for any corporate email signature. The legitimate email address may also be spoofed, with the attacker using a domain name the resembles the company’s so that it passes a casual glance. When it comes to money transfers, the amount requested is one that would not attract attention and is often to pay an invoice to a non-existent supplier. Because a BEC often goes undetected for some time, several money or information transfers can be made.
Over 6,000 businesses on average every month are targeted by BEC fraud, with individual companies receiving around five BEC emails2. Only a few succeed, but that is all it needs for the attacker to make a great deal of money. Even large corporations that you would assume to be astute when it comes to BECs have been conned. In March, a Lithuanian man pleaded guilty to defrauding Google and Facebook out of over $100 million using fraudulent emails and invoices3. And it is not just companies who are targeted in this way: charities, universities, churches, and even the Boy Scouts of America have been attacked using BEC methods too4.
How to Avoid a BEC Attack
- As usual, cyber education from the top down is essential. CEOs and other executives need to be made aware of how these attacks work just as much as any employees who work in sensitive areas that may be attacked.
- Develop a protocol around fund transfers: all confidential and ‘urgent’ requests by CEOs and other executives should be verified before any transfers of funds or information is made. This should preferably be done with a phone call or face-to-face.
- Use an encrypted server for all emails and use multifactor authentication on accounts.
- Get staff to double-check all email addresses for spoofing.
- Be mindful of the cultural variants in BEC. For example, in Japanese corporate culture, email from management instructing staff members to perform a task might be more likely to go unnoticed. Japanese employees without any cybersecurity awareness might not think twice to question an email from management to perform a certain task, especially if that task is aligned with already existing work responsibilities.
These procedures need to be reviewed regularly as attacks will only become more sophisticated in the future. Improvements in artificial intelligence and machine learning mean that attackers are now looking at new ways to fool victims into handing over money. Deepfake5 audio, in which criminals can also impersonate the voice of CEOs is not just speculation anymore, it has been done. On August 30, it was reported that an unnamed UK energy company became a casualty of a deepfake BEC type scam when the attackers impersonated the CEO of the company’s German parent firm and persuaded the UK CEO to send €220,000 to a made-up supplier in Hungary. There have also been three other similar successful attacks, meaning that soon other cyberattackers will be using similar methods. If so, this will require added layers of security, such as digital certificates, out-of-bands communication channels, or even several channels of approval6.
BECs are not going to go away, and they are going to get harder to detect. Attackers know that a company’s employees are their easiest way in and will use whatever social engineering methods they have at their disposal. As always, the best defense is training, and if you are worried that the cost will be too much, bear in mind just how easy it can be for a criminal to use a BEC to drain your funds. Be prepared.
‘BEC Scams Remain a Billion-Dollar Enterprise, Targeting 6K Businesses Monthly,’ Symantec Blog, 07/23/2019, accessed at https://www.symantec.com/blogs/threat-intelligence/bec-scams-trends-and-themes-2019.
- Catalin Cimpanu, ‘BEC Overtakes Ransomware and Data Breaches in Cyber-Insurance Claims,’ ZDNet, 09/02/2019, accessed at https://www.zdnet.com/article/bec-overtakes-ransomware-and-data-breaches-in-cyber-insurance-claims/
- ‘BEC Scams Remain a Billion-Dollar Enterprise, Targeting 6K Businesses Monthly,’ Symantec Blog, 07/23/2019, accessed at https://www.symantec.com/blogs/threat-intelligence/bec-scams-trends-and-themes-2019
- Vanessa Romo, ‘Man Pleads Guilty to Phishing Scheme that Fleeced Facebook, Google of $100 Million,’ NPR, 03/25/2019, accessed at https://www.npr.org/2019/03/25/706715377/man-pleads-guilty-to-phishing-scheme-that-fleeced-facebook-google-of-100-million?t=1573132791142
- Lindsay O’Donnell, ‘RSA Conference 2019: BEC Scammer Gang Takes Aim at Boy Scouts, Other Nonprofits,’ Threatpost, 03/05/2019, accessed at https://threatpost.com/rsac-2019-bec-scammer-gang-takes-aim-at-boy-scouts-other-nonprofts/142302/
- From the words ‘deep learning’ and ‘fake’, deepfake audio can take a copy of a target’s voice, synthesize it and use background noise to cover up any small irregularities. Deepfake video is also possible but has not yet been used in any BEC scam.
- Danny Bradbury, ‘Deepfake Audio is the Next Social Engineering Tool,’ Infosecurity Blog, 09/03/2019, accessed at https://www.infosecurity-magazine.com/infosec/deepfake-audio-is-the-next-social/