BEC Scams and Effective Ways to Secure Your Corporate Email Communications
Table of Contents
Cybercriminals are most often motivated by money. Cybercrime has been described as the "World's third-largest economy", making over $9.5 trillion. One method used to extract large sums of money from companies is Business Email Compromise (BEC). BEC Scams use various methods to manipulate and exploit companies of all sizes into handing over funds to a hacker. The FBI described BEC as "one of the most financially damaging online crimes".
What is Business Email Compromise?
The Verizon Data Breach Investigations Report (DBIR) found that most (86%) cybercrimes are financially motivated. Business Email Compromise (BEC) is a cyber threat that focuses on the theft of corporate funds.
To execute BEC fraud, cybercriminals use tried and tested tactics like social engineering and email account takeover. Using these tactics, BEC fraudsters can manipulate staff into transferring money to a threat actor, the employee believing they are sending money to a legitimate business partner, customer, or similar. BEC scams are successful because of the manipulation of trusted business relationships, like a CFO and an employee in accounts payable.
BEC fraudsters make a lot of money from scamming companies, including small to medium-sized businesses (SMBs). This success has seen BEC attacks rise by 30%. BEC scammers are beginning to use Generative AI and deepfakes to make the attacks more realistic and compelling. A recent example of a deepfake-enabled business email compromise was carried out at engineering firm Arup. An employee was tricked into attending a video conference that used a deepfake of the company's CFO. The deepfake CFO convinced the employee to transfer large sums of money. Ultimately, the company lost $25 million to the deepfake BEC.
Companies of All Sizes Are at Risk of a BEC Attack
Source: Abnormal Security
Types of BEC Scams
Over the years, cybercriminals have developed BEC scam variants. The following are the most common:
CEO / CFO Impersonation
BEC scams rely on manipulating trusted relationships. Scammers may compromise or spoof an executive's email account, such as a CEO or CFO. The email is then used to impersonate the executive. In the Arup example, the CFO was impersonated using a deepfake video. Other examples of AI-assisted BEC attacks use voice deepfakes. Any of these methods is used to trick the target employee into performing a task for the impersonated executive that involves transferring money.
Attorney / Investment Manager Impersonation
Attorneys are also targets for impersonation. The BEC scammer targets lower-level employees, house buyers, and others needing to transfer large sums to carry out a transaction. A recent example involved a Massachusetts workers' union. A spoofed email that appeared to be from the union's investment manager resulted in losses of $6.4 million.
Fake Invoice / Invoice Manipulation
Attackers can intercept an invoice, changing the legitimate bank details to those of a hacker's account. Alternatively, the attacker may send a fake invoice using a compromised or spoofed executive email account.
Vendor Email Compromise (VEC)
Vendor Email Compromise (VEC) is a type of BEC/Supply chain attack in which fraudsters impersonate a third-party vendor to steal from the vendor's customers. The fraudsters may use email compromise, spoofing, and/or deepfakes to carry out the BEC scam.
Data Theft
Sometimes, BEC tactics are used to steal data rather than money directly. BEC scams sometimes target data that is then used to commit further attacks.
How Much Does a BEC Scam Cost a Business?
BEC scams cost businesses an average of $137,132 per incident, with 21,489 reported attacks in the USA, according to FBI data. Over the past decade, $55 billion has been lost to BEC attacks globally.
The average costs, however, hide the damaging financial harm done to targeted companies and individuals. For example, a recent homeowner was the victim of a BEC scam while purchasing a home. The victim received a spoof email impersonating the attorney. The email instructed them to wire $426,000.00 to a "financial institution" to close the house purchase.
BEC scams cost businesses more than illegally transferred funds. Fraudsters may steal login credentials and compromise executive accounts to carry out a BEC attack. Operations may need to shut down to rectify the breach and establish safe working conditions. Productivity is hurt, and the time it takes to respond to the attack can cost an average of $167 per minute per server affected.
The impact on reputation is challenging to quantify. However, VEC can lead to a loss of trust in a supply chain and subsequent loss of business.
How Does Business Email Compromise Work?
Email compromise relies on specific tactics and techniques. However, it is important to note that "BEC kits" make scamming companies easier for threat actors. BEC kits are sold as a service and make BEC scams easier to carry out. Generative AI and deepfakes are making BEC scams more accessible. AI-assisted BEC scams are believed to be behind an increase in BEC attacks, with 40% of the scams using AI.
BEC scams are based on the following tactics and techniques:
Intelligence Gathering Using the Dark Web
Fraudsters need data and intelligence to decide who to target. The dark web provides marketplaces and forums, allowing cybercriminals to purchase company data, including login credentials and company intelligence.
Phishing / Spear Phishing
Threat actors may use spear phishing to obtain login credentials if they are not available on the dark web. The phishing emails are created using gathered intelligence. Generative AI may be used to create a hyper-personalized phishing email using the intelligence.
Compromise or Spoofing of Email Accounts
If spear phishing delivers login credentials, the BEC fraudsters will compromise the executive account. Otherwise, the fraudsters will spoof the email account, making an email look like it has come from an executive or vendor.
Credential Stuffing
BEC fraudsters may use "credential stuffing" to compromise an email account. Credential stuffing is based on already stolen login credentials, often purchased on the dark web.
Social Engineering of Staff
Recipients of spoof or compromised emails are socially engineered to ensure they believe the email is from a trusted person, like a CEO. The social engineering element of a BEC attack is essential to ensure that the target believes they are paying an invoice / sending money to a legitimate bank account.
Interception of an Invoice
In some BEC scams, the attackers use Man-in-the-Middle techniques to intercept email traffic, pulling an invoice from an email and adjusting the bank details before sending it on to the legitimate recipient to process.
Domain Impersonation
BEC attacks may require a spoof website to capture login credentials or to trick targets into believing they are dealing with a legitimate vendor. BEC fraudsters create domains that look just like the legitimate website. The URL will closely mimic the real domain, for example, www.Microsoft.com will be spoofed to something like www.Micr0s0ft.com
How can a Business Protect Its Assets from BEC Scammers?
BEC scams take several forms and use multiple techniques to trick targets. Increasingly, BEC attacks utilize Generative AI and deepfakes to make attacks more plausible. The following security measures are recommended to prevent BEC attacks:
Security Awareness Training
Educate employees, including C-level executives and accounts payable staff, on BEC attacks and how they target employees and executives. Use phishing simulations to train employees to recognize phishing attacks.
Internal Processes and Cross-Checks
Ensure that your internal processes require checks and sign-offs. Examples of anti-BEC processes include call-back verification for any payment instruction changes, dual-approval workflows for transactions, and multiple-channel approval for high-value transactions.
Dark Web Monitoring
Dark web monitoring tools locate company information, such as email addresses and company intelligence, available on the dark web. Being aware of cybercriminal activity targeting your company helps you prepare employees for cyberattacks.
Robust Identity and Access Management (IAM)
Use robust IAM measures, such as multi-factor authentication (MFA), and enforce access rights on a need-to-know basis to help prevent unauthorized access and account compromise.
Email Authentication (DMARC)
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol used to prevent domains from being used in phishing and spoofing attacks.
AI-Powered Email Security
AI-powered email security can help prevent AI-powered phishing attacks that are otherwise challenging to detect. These advanced solutions can also detect intent and manipulative language in emails.
FAQs
How should your business respond to a BEC attack?
You must develop a BEC incident response plan to ensure you have the best chance of recovering stolen money, and then you must act fast! The response plan should include a step-by-step guide to recovery, including how to deal with your company bank and law enforcement.
How does dark web monitoring help prevent BEC?
Dark web monitoring checks the dark web for signals that your company information is being used for nefarious purposes. By using tools like Sentinex, a company can stay ahead of BEC attacks, ensuring that all potentially targeted employees and executives are prepared. Dark web monitoring allows a company to mitigate risks and harden defenses.
Can funds be recovered if my company is a victim of BEC?
Funds can sometimes be recovered after a BEC attack. However, it can be complicated. Depending on the amount, type of transaction, and jurisdiction, your bank may be able to initiate a chargeback. Work with law enforcement, as they may be able to track the cybercriminals and recover funds. Specialist recovery services can also help.