Understanding Business Email Compromise: An organisation's most expensive enemy

It's been a long time since a threat focused the attention of cyber-security professionals quite like Business Email Compromise (BEC) and Email Account Compromise (EAC). Dubbed 'cyber-security's priciest problem', social engineering-driven cyber threats like BEC and EAC are purpose-built to impersonate someone users trust, and trick them into sending money or sensitive information.

These email-based threats are a growing problem. Recent Proofpoint research has shown that more than 7,000 CEOs or other executives have been impersonated since March 2020. Overall, more money is lost to this type of attack than any other cybercriminal activity. In fact, according to the FBI, these attacks have cost organisations worldwide more than $26 billion between June 2016 and July 2019. Gartner also predicted that through 2023, BEC attacks will continue to double each year, to over $5 billion, and lead to large financial losses for enterprises. 

Unfortunately, given the overall success rate and low cost of executing email fraud attacks, it is likely that organisations are only seeing the tip of the iceberg in terms of both direct and indirect damages resulting from these types of assaults, which continue to scale and evolve.

Identifying a BEC attack

To understand the continued success of BEC, we must first understand the mechanics of an attack.

These attacks occur when a cybercriminal poses as a trusted individual within an organisation to reroute funds or access privileged data. These attacks are usually highly targeted, aimed at specific decision-makers or those in authority.

There are usually four stages to a sophisticated BEC attack:

• The research: Unlike mass, blanket attacks, BEC attackers usually take the time to identify specific individuals within an organisation. Information is gathered from a range of sources to create believable communications once the account is compromised. 
• The groundwork: BEC attackers often attempt to build relationships with those who have financial decision-making authority. Usually through spoofed or compromised email accounts, this interaction can take place over days, weeks or even months to build trust and familiarity. 
• The trap: Once the attacker has compromised an account, or accounts, and is satisfied that the victim believes them to be genuine, they make their move. In most cases, the target is asked to initiate a wire transfer or alter payment details on an existing pending payment. 
• The fraud: Believing the request to be genuine, the victim sends funds to the fraudster's account. These are usually moved on quickly, making them harder to recover once the fraud has been discovered.

So what do these attacks look like in real-life? Proofpoint has recently identified the following trends in BEC attacks that organisations must be aware of.

BEC Payroll Diversion Scams

BEC payroll diversion scams are similar to other BEC attacks by relying on impersonation and social engineering to convince the target victim to send money to the attackers. In this case, the attackers target the payroll process of a company and attempt to redirect legitimate payroll payments from their intended destination accounts to accounts under the attacker's control.

BEC payroll diversion scams are by necessity very focused in their targeting. To succeed, these scams must correctly identify someone in the HR or payroll department to make changes to an employee's direct deposit information.

The latest FBI data shows that the dollars lost as a result of payroll diversion scams have increased more than 815% between the 1st January 2018 and 30th June 2019. 

BEC Gift Card Scams

BEC/EAC gift card scams are similar to other attacks of this nature.

In this case, attackers will try to convince the target victim to send money to them using popular retail gift cards rather than through wire transfers. In gift card scams, the attackers will frequently impersonate the CEO or other high-level executive in the business as part of the scam.

Attackers abuse gift cards in BEC/EAC attacks because it is a quick and easy way to for them to get money from their targeted victims: the victims don't have to navigate complicated wire transfer instructions - they just go and purchase gift cards from well-known, recognised and trusted retailers.

Abusing gift cards like this is also a quick, easy and simple way for attackers to effectively launder stolen money. Instead of receiving the stolen money directly, the attackers receive the money by way of the retailer whom the targeted victim purchased the gift card from.

Tackling this expensive enemy

Because cybercriminals employ multiple tactics and combinations of impersonation and account compromise, defending against one or two of these tactics is insufficient to address the threat as a whole. 

As BEC/EAC attacks target people, rather than infrastructure, organisations must ensure they are delivering ongoing, comprehensive cyber security awareness training to all employees, across all functions, to help their people identify these impersonation emails and act against them.

Organisations should also invest in an email security solution that detects and stops impersonation, account compromise, credential phishing and social engineering.

To build such a solution, email security providers need access to the right data sources: email traffic, cloud account activity, user data and domain data. With that information, threat analysts and machine learning models can detect the use of multiple tactics in these types of attacks and implement integrated, adaptive controls across the attack surface of email, cloud accounts and people.

Ultimately, BEC works because it is low-profile and unassuming. Rather than trying to spot a smoking gun, organisations should train their employees to be vigilant about all forms of email communication.

Additional verification may add a few minutes of inconvenience when approving a genuine request, but that's nothing compared to the pain of a successful BEC attack.

Adenike Cosgrove is a Cybersecurity Strategist (International) at Proofpoint