BEC Attackers Are Raising Their Game. Are You?

Cybercriminals are using legitimate email accounts to steal your customers’ money and data. Does your security strategy stand up to this threat?

4 Min Read
Close up of woman's hands on laptop keyboard

In the last five years, business email compromise (BEC) attacks cost U.S. firms $2.9 billion, according to the FBI’s Internet Crime Complaint Center (IC3). Not only are these attacks on the rise, but cybercriminals also are rapidly expanding their toolbox when it comes to account takeovers, spoofing and defrauding companies with misleading emails from sources believed to be trustworthy.

BEC attacks involve the use of a legitimate email account (obtained via an account takeover) to convince employees to share valuable data, passwords and, in some cases, even corporate cash. According to a recent article in SC Magazine by my colleague here at Barracuda, Asaf Cidon: “Account takeover is one of the biggest threat vectors in the cybersecurity industry today. More and more organizations are getting hit, and the attacks are getting more and more targeted. Attackers are moving away from the relatively standard phishing email, as they are finding that strategically targeting business executive accounts is much more lucrative.”

New BEC Attack Strategies

With BEC attacks, cybercriminals can use your company’s brand against you and your partners. The criminals behind these attacks are also using new approaches to gain account access, obtain employee trust and leverage their access to do even more damage.

BEC attacks are as much a game of psychological warfare as they are a technological threat. Criminals use trusted email accounts to trick employees into processing fake invoices, transferring money to dummy accounts or sharing access to sensitive data.

According to a recent research report, the most common BEC tactic cybercriminals leverage is trying to deceive the recipient to conduct a wire transfer to a bank account owned by the attacker.  In contrast, only 0.8% of BEC attacks ask the recipient to send the attacker personally identifiable information.

These attacks differ from traditional phishing schemes in several ways. The study found that roughly 60% of BEC attacks do not involve a link. The attack comes in the form of a plain text email intended to trick the recipient. The emails are difficult for existing security systems to detect because they originate from a legitimate account, and they don’t contain the tell-tale signs of a phish (i.e., a suspicious link or a spoofed web address).

Increasingly, these attacks leverage a new hacking technique called “island hopping,” which entails compromising the main target’s affiliates with the intent to leverage them to eventually penetrate the main target’s defenses.

In some cases, BEC attacks have shifted to mobile devices. The attackers still use email as the initial contact but try to obtain mobile phone numbers to shift the coercion to text messages, which can be even more difficult to catch. Attackers are also turning to log destruction, and they’re even finding ways to turn off corporate antivirus software or firewalls to reduce the likelihood of detection.

New waves of BEC campaigns are also targeting HR and finance departments in an attempt to get direct-deposit payroll information or W2s, or to leverage the confusion when companies are in the middle of a merger or acquisition. In some cases, attackers will monitor financial transactions and communications for months to believably fake a payment request.

For example, a Lithuanian scammer obtained nearly $100 million from Facebook and Google by spoofing the email of executives at Quanta Computer and issuing a series of fake invoices directed at phony bank accounts he had previously established.

How Companies Can Start Protecting Themselves

With the sophistication of these attacks increasing, companies need to take a multi-pronged approach to protecting themselves. Strong password and authentication policies help. However, employee education is a must: Staff must be trained to recognize suspicious emails and verify their authenticity before sharing information or sending money.

Establishing strict corporate policies around wire transfers is another critical step. These transfers should require the authorization of multiple executives, as well as in-person or verbal confirmations to make sure that money isn’t issued to an attacker by mistake.

But these steps aren’t enough. Technology needs to be as intelligent as these new types of attacks to provide an extra layer of security. Barracuda Sentinel is a good example. Unlike security solutions that rely on merely blocking senders from specific IP addresses or geographies, and those that search for suspicious links, Sentinel uses artificial intelligence to help spot anomalous employee behavior.

If a staff member starts sending an unusual number of emails or sends messages to executives they normally don’t communicate with, the solution can “learn” which of these behaviors may indicate a BEC or account takeover attempt. The system alerts the proper staff members of the problem and automatically blocks suspected phishing emails or other communications.

Closing Thoughts

A well laid-out email and cybersecurity plan is something no company can afford to be without. By raising your customers’ awareness and following the tips outlined above, you’ll be in a much better position to ensure your customers’ email security framework remains one step ahead of those trying to undermine them.

Brian Babineau is Senior Vice President and General Manager for Barracuda MSP. In this role, he is responsible for the company’s managed services business, a dedicated team focused on enabling partners to easily deliver affordable IT solutions to customers.

This guest blog is part of a Channel Futures sponsorship.

 

Read more about:

MSPs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like