BEC Attackers Are Raising Their Game. Are You?
In the last five years, business email compromise (BEC) attacks cost U.S. firms $2.9 billion, according to the FBI’s Internet Crime Complaint Center (IC3). Not only are these attacks on the rise, but cybercriminals also are rapidly expanding their toolbox when it comes to account takeovers, spoofing and defrauding companies with misleading emails from sources believed to be trustworthy.
BEC attacks involve the use of a legitimate email account (obtained via an account takeover) to convince employees to share valuable data, passwords and, in some cases, even corporate cash. According to a recent article in SC Magazine by my colleague here at Barracuda, Asaf Cidon: “Account takeover is one of the biggest threat vectors in the cybersecurity industry today. More and more organizations are getting hit, and the attacks are getting more and more targeted. Attackers are moving away from the relatively standard phishing email, as they are finding that strategically targeting business executive accounts is much more lucrative.”
New BEC Attack Strategies
With BEC attacks, cybercriminals can use your company’s brand against you and your partners. The criminals behind these attacks are also using new approaches to gain account access, obtain employee trust and leverage their access to do even more damage.
BEC attacks are as much a game of psychological warfare as they are a technological threat. Criminals use trusted email accounts to trick employees into processing fake invoices, transferring money to dummy accounts or sharing access to sensitive data.
According to a recent research report, the most common BEC tactic cybercriminals leverage is trying to deceive the recipient to conduct a wire transfer to a bank account owned by the attacker. In contrast, only 0.8% of BEC attacks ask the recipient to send the attacker personally identifiable information.
These attacks differ from traditional phishing schemes in several ways. The study found that roughly 60% of BEC attacks do not involve a link. The attack comes in the form of a plain text email intended to trick the recipient. The emails are difficult for existing security systems to detect because they originate from a legitimate account, and they don’t contain the tell-tale signs of a phish (i.e., a suspicious link or a spoofed web address).
Increasingly, these attacks leverage a new hacking technique called “island hopping,” which entails compromising the main target’s affiliates with the intent to leverage them to eventually penetrate the main target’s defenses.
In some cases, BEC attacks have shifted to mobile devices. The attackers still use email as the initial contact but try to obtain mobile phone numbers to shift the coercion to text messages, which can be even more difficult to catch. Attackers are also turning to log destruction, and they’re even finding ways to turn off corporate antivirus software or firewalls to reduce the likelihood of detection.
New waves of BEC campaigns are also targeting HR and finance departments in an attempt to get direct-deposit payroll information or W2s, or to leverage the confusion when companies are in the middle of a merger or acquisition. In some cases, attackers will monitor financial transactions and communications for months to believably fake a payment request.
For example, a Lithuanian scammer obtained nearly $100 million from Facebook and Google by spoofing the email of executives at Quanta Computer and issuing a series of fake invoices directed at phony bank accounts he had previously established.