As long as email addresses exist, we will get to see email scams. Usually, security vendors & organizations are working to protect against the common phishing scam types. But cyber attackers always remain one step ahead, adapting their tactics to get around the established security controls. Let's learn about the Business Email Compromise, the short form of which is BEC.
What Is Business Email Compromise (BEC)?
Business email compromise refers to a kind of cyber attack where emails are used by scammers to trick people into sharing confidential information or sending money. Hence, the cybercriminals act as a trusted figure. After that, they ask for a fake bill to be paid or some information that they can use in another scam. These scams are increasing continuously because of the increased remote work. According to the reports, about 20,000 BEC complaints were made to the FBI last year.
How Does a Typical BEC Attack Work?
In the Business Email Compromise (BEC) Scams, an attacker can be seen acting like someone whom the receipt believes — mainly a vendor, boss or colleague. You should know that these attacks are hard to detect as they never use malware or malicious URLs, which can be analyzed with standard cyber defenses. These attacks depend on impersonation & other social engineering techniques for tricking people into interacting on the behalf of the attacker.
The use of social engineering, along with the targeted nature, is responsible for making the manual investigation & remediation of the attacks difficult & time-consuming. These scams use different impersonation techniques like domain spoofing & lookalike domains. As domain misuse is a complex issue, the attacks are effective. It is difficult to stop domain spoofing, but more challenges can be faced when you try to anticipate each potential lookalike domain. You should know that these attacks do not require any tradecraft or any advanced tool for execution. Hence, we have given the process through which a typical BEC attack runs:
Phase 1) Research & Identify Targets:
These attacks are mainly focused on the employees or executives authorized for making payments on behalf of the companies. Cybercriminals perform reconnaissance continuously over days or weeks. Generally, the BEC targets are CEOs, lawyers, & accounts payable personnel.
Phase 2) Set Up the Attack:
While mass phishing emails follow a "spray and pray" approach, these BEC attacks come across as legitimate. Scammers perform different activities like spoofing email addresses or creating lookalike domains, impersonating reliable vendors, etc., to prepare for the attack.
Phase 3) Execute the Attack:
The BEC attack may occur in an email or an entire thread based on the thoroughness of the adversary. Often, the communication uses urgency, persuasion, and authority to get a victim's trust. The perpetrator can offer wire instructions to the victim to make payment to a fraudulent account easier.
Phase 4) Disperse Payments:
As soon as attackers get the money, they collect it quickly and disseminate it across many accounts. Thus, they can decrease traceability & retrieval chances. For cybersecurity incidents, rapid response times are very important. If any organization can't detect a successful BEC attack quickly, it's unlikely that the money is going to be recovered.
Common Types of Business Email Compromise (BEC) Scams:
Five types of BEC attacks are there:
CEO Fraud: Cybercriminals act as the company's CEO or executive and they send an email to a person or employee who works within the finance department. The email asks the individual to transfer money to an account that the attacker controls.
Account Compromise: In this case, attackers hack an employee's email account to request payments to vendors. After that, they use the account to send payments to fake Bank accounts that they own.
False Invoice Scheme: This tactic is used to attack foreign suppliers. Scammers act as the suppliers and request foreign suppliers to transfer money to the fake accounts.
Attorney Impersonation:
It happens if a cybercriminal impersonates a lawyer or legal representative. In these kinds of attacks, mainly lower-level employees are targeted.
Data Theft: HR employees are attacked in this case with the intention of getting sensitive information about someone who works within the organization, like CEOs and executives. After that, data is possible to be leveraged for future attacks like CEO Fraud.
Common BEC Attack Techniques:
Five common attack techniques are as follows:
Exploiting Trusted Relationships:
In order to exploit an existing trusted relationship, cybercriminals make a concerted effort. Exploitation might take multiple forms, like a vendor who requests invoice payments, an executive who requests iTunes gift cards, and many more.
Replicating Common Workflows:
Countless number of business workflows are executed every day by a company and its employees. While multiple workflows depend on automation, many workflows are conducted over email. These workflows are replicated by the BEC attacks to fulfill their targets before victims get any idea.
Suspicious Attachments:
These are linked to malware in email attacks. However, attachments which are used in these attacks can forego malware in exchange for fake invoices.
Socially Engineered Content & Subject Lines:
BEC emails depend on subject lines that want to induce quick action. These are a few terms used in subject lines:
- Request
- Overdue
- Hello FirstName
- Payments
- Immediate Action
Leverage Free Software:
In order to lend these scams, hackers use the software that is available for free. It assists emails in sneaking past security technologies that can block bad domains. For instance, SendGrid is used for making spoofed email addresses, whereas Google Sites are used to stand up phishing pages. Attackers use Google Forms & Docs to extract sensitive data from victims. Hosting fake invoices along with 0-day phishing links is possible by attackers in Google Drive and Box.
Things to know:
- You must be aware of every information you share online or on social media. When you share your pet name, the school you attended, identity like profile links of your family members, and your birthday online, a scammer gets all the information they require to guess the password.
- Ensure that you are not clicking on anything in a text message or an unsolicited email that wants you to update or verify your account details. Hence, you need to find the phone number of the company yourself instead of believing and using the phone number given by the scammer. After finding the number yourself, you should call the company to ask whether the request you have received is legitimate or not.
- You must examine the URL, email address, and spelling used in any correspondence. Scammers trick you with little differences because they intend to gain your trust.
- You have to be careful about what you download. There is no need to open an email attachment from those whom you do not know.
- Try to set up two-factor authentication or multi-factor authentication on such accounts that permit it and never disable this.
- You should verify the payment & purchase requests, or you can call the person to ensure that it is legitimate.
Protect Against BEC Attacks— How to do it:
You should know that a successful BEC attack is very costly and can damage an organization. But defeating these attacks is possible by taking some easy email security precautions, such as:-
Anti-Phishing Protections:
You should know that BEC email is a kind of phishing. Therefore, you have to deploy anti-phishing solutions to protect against them. This solution must be able to identify red flags of BEC emails, such as reply-to addresses that are not similar to the sender addresses. Also, it should be able to use machine learning to identify the email language to indicate an attack.
Employee Education:
These attacks generally target employees of a company. So, employees need to be trained properly so that they can learn how to detect a BEC attack and respond to it. Thus, it is possible to minimize the threat of this kind of phishing.
Separation of Duties:
The attacks aim to trick employees so that they get involved in high-risk activities such as sharing sensitive information or sending money without verifying the request. Try to implement policies for these actions that need independent verification from a second employee. In this way, it is possible to reduce the risk of these attacks.
Labelling External Emails:
These attacks want to impersonate internal email addresses with the help of domain spoofing or lookalike domains. You can try to configure email programs with the intention of labelling emails (that comes from the outside of the company) to defeat the tactic.
Conclusion:
Impostor emails are created for the purpose of impersonating a person whom your users trust and trick them into sending personal information or money to the cyber criminals.
Frequently Asked Questions
- What are the different types of BEC?
Usually, there are two types of buckets under which the attacks fall: spear-phishing & social engineering attacks.
- What is the most common type of BEC?
An invoice or urgent payment required scam is the most common type of BEC attack.
- What is the biggest BEC attack?
The biggest Business Email Compromise (BEC) Scams to date is "Facebook & Google: $121m BEC scam".