Why Are Business Email Compromise (BEC) Attacks On The Rise?

Why Are Business Email Compromise (BEC) Attacks On The Rise?

Business Email CompromiseAccording to the FBI, losses related to Business Email Compromise (BEC) attacks have increased by 136% from December 2016 to May 2018. Why the increase? The answer is actually pretty simple: BEC attacks are easy to launch, there’s limited risk of being caught, and they work! It ranks #1 in the IC3’s 2017 Internet Crime Report for the volume of victim losses, representing nearly half (48%) of the total losses of the top 10 Internet crimes.

BEC attacks target companies by using compromised or spoofed email accounts to request wire transfers, tricking an employee into sending money to the criminal. Email accounts may become compromised through phishing attempts or social engineering – and because they don’t involve malware, these attempts often go undetected by email security services.

In this post we’ll revisit how BEC attacks work, discuss why they’re on the rise, and how you can detect them.

How a BEC Attack Works

It’s worth starting with a refresher on how a BEC attack works. And while there are many variations, the basic idea is:

  1. A criminal compromises or spoofs the email account of an executive, such as the CFO.
  2. The criminal sends a request for a wire transfer from the exec’s email account to an employee who is responsible for processing these requests and is subordinate to the executive, such as the Controller.
  3. The Controller submits a wire payment request to the company’s bank, as per instructions from his or her “boss.”

Requests typically include an element of urgency and a request for confidentiality. These schemes hinge on an email request that appears completely legitimate, either coming from an actual email account or one that is so similar that all but the closest scrutiny would miss the variation. The requests for wire transfers are well-worded, specific to the business being victimized, and do not raise suspicions as to the legitimacy of the request.

Business Email Compromise = Big Money

According to the FBI’s Internet Crime Complaint Center (IC3) over $12 billion was lost through such BEC attacks from October 2013 through May 2018. The most popular mechanism for the payment is a wire transfer because they take place quickly and are difficult to reverse.

Once funds have been transferred, they become almost impossible to track or recover. Even if fraud can be proven, it’s very unlikely that the money will ever be recovered or that anyone will be convicted of the crime. Not only are many of these attacks untraceable, but they also often originate within countries that are not interested in prosecuting the crime. In fact, cybercrime is encouraged in some countries as it brings wealth to the local economy.

As an example of the money at stake, a single real estate transaction may net a criminal hundreds of thousands of dollars with limited personal risk to the attacker, making it an extremely attractive proposition. In one such transaction, a total of $1.57 million was fraudulently redirected from a single couple. Title companies and real estate agencies are among the most often targeted, but BEC can impact any industry or company that frequently uses wire transfers.

Why Are BEC Attacks on the Rise?

Put succinctly, BEC attacks are on the rise because, a) they are low risk; and, b) they work. BEC attacks can be implemented quickly, require minimal technology, and have potentially high rewards.

Social engineering is a popular method for compromising a business email account. They may ask an individual directly what their user information is by posing as an IT technician within their own company, for example. Through online searches and social media platforms such as LinkedIn, cybercriminals can appear to have in-depth knowledge about a company, which improves their credibility.

Cybercriminals may also use phishing attempts to trick individuals into exposing their login information. Phishing emails may appear as though they come from the company itself or from another reputable company, and may prompt users to enter their login information into another website. Criminals also spoof an email address, as described in an earlier blog post. Either way, cybercriminals don’t need to use malicious programs, which can be detected by malware solutions.

In fact, bad actors may not even need to collect email information themselves. Email credentials are commonly sold on the dark web. And while email credentials for people in CEO, CFO, and other key roles command a higher price, it pales in comparison to what the criminal can make through a BEC attack. This has become so common that some cybercriminals provide account hacking as a service.

Because these credentials are so easy to come by, it is simple and cost-effective to launch a BEC type attack. Further, social media has made it easier for cybercriminals to know when to launch such an attack. Both companies and individuals readily share information about employee travel plans, whether through email, voicemail, or social media. This makes it easy for a cybercriminal to time a message for when they are on vacation or traveling, making it harder for the recipient to confirm the request.

Malware Solutions Aren’t Enough

Malware detection solutions aren’t built to spot BEC or other social engineering attacks. But that doesn’t mean that there aren’t solutions that can reduce risk. Some security products can provide safe email monitoring processes, which can detect BEC attacks in action. Next-generation security systems are able to:

  • Monitor emails for suspicious language. Email is the most common attack vector for cybercrime, not just BEC attacks, and many social engineering attempts occur through email. Monitoring emails for suspicious language may reduce the chances that compromised information is sent out or that an employee might fall for a phishing attempt.
  • Monitor networks for suspicious activity. When an email account is compromised, the account itself will often show failed login attempts, login attempts that come from an unusual country, or attempts that come through a VPN. An advanced email security service will be able to identify suspicious login attempts and prevent access to the account.

Further, an email security service can identify attempts to redirect funds payments and support services such as encrypted emails and secured emails that are signed. Signing emails as they are sent provides protection against the possibility that another individual may send an email through the same account requesting fund redirection.

Of course, some measure of BEC prevention also requires employee training. BEC scams rely on employees as the company’s primary vulnerability: they must first get login information from employees and then use it to access their accounts. From there, they must also convince another individual that they should send funds to an unfamiliar account and do so quickly.

With the right training, both of these attempts should fail – but everyone makes mistakes at some point in time. With the right email security services, a company is able to reduce the risk of business email compromise even when employees forget the lessons learned in training, or something simply gets by them on a busy day.

Bert Rankin

Bert Rankin

Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University.
Bert Rankin