Business email compromise (BEC) attacks saw a 476% increase between Q4 2017 and Q4 2018. According to Proofpoint’s Quarterly Threat Report for Q4 2018, on average, companies targeted by BEC attacks received nearly 120 fraudulent emails in the fourth quarter. This statistic is up from an average of 36 fraudulent emails in Q3 2018 and up from 21 in Q4 2017.
What are BEC Attacks?
BEC attacks use social engineering to target specific employees within a company, frequently from the firm’s Finance department, in attempts to persuade them into wiring large sums of money to third-party bank accounts controlled by the attackers.
“Criminals use business email compromise attacks to obtain access to a business email account and imitate the owner’s identity, in order to defraud the company and its employees, customers, or partners,” commented Asif Cidon, Vice President of Content Security Services at Barracuda Networks. “In most cases, scammers focus efforts on employees with access to company finances or payroll data and other personally identifiable information.”
How do BEC Attacks Work?
As opposed to other social engineering tactics, BEC attacks are extremely difficult for employees to spot as attackers don’t use malicious URLs or attachments. Instead, attackers will use what Bleeping Computer has identified as a four-step process in BEC attacks.
Step 1: Identify a Target
Organized crime groups target U.S. and European businesses, exploiting information available online to develop a profile based on the company and its executives. Attackers will often create a spoof email address posing as a company executive. For example: John.Smith@ABCCompany.com will be changed to John.Smith@ACBCompany.com – simply changing one letter in the email address. To go a step further, the compromised email will also include the legitimate signature of the compromised executive.
Step 2: Grooming
In this stage, spear phishing emails and/or telephone calls target the victim company’s officials; typically someone within the accounting or finance department who has the ability to wire funds. Attackers use persuasion and pressure to manipulate and exploit human nature. This stage may occur over a few days or even weeks.
Step 3: Exchange of Information
In the exchange of information stage, the targeted employee is convinced they are conducting a legitimate business transaction. The employee is then provided wiring instructions.
Step 4: Wire Transfer
In the final stage, the employee wires funds from the company to the bank account of the attacker. To cover their tracks, the individual will usually transfer the funds to several other accounts; making it extremely difficult to get back to the perpetrator.
BEC attacks continue to grow and evolve, targeting small, medium, and large businesses, as well as individuals. Between December 2016 and May 2018, there was a 136% increase in global losses. Furthermore, BEC attacks have been reported in all 50 states and more than 150 countries. Researchers from Digital Shadows also found 12.5 million company email inboxes, and 33,000 finance department credentials of numerous enterprises were exposed to unauthorized access with exactly 83 percent of them also having a password.
As this threat continues to spread, we recommend configuring cloud accounts and Internet-facing storage devices correctly, BEC training for company employees, adding at least one level of manual controls for all wire transfers, as well as keeping an eye out for exposed company email credentials.
Photo courtesy of Security Boulevard
