Business email compromise attacks are growing in prevalence and creativity. Here’s a look at how they work, the latest stats, and some recent horror stories.
Last summer, the US Federal Bureau of Investigations (FBI) sounded a loud alarm for organizations about the growing danger of business email compromise (BEC) scams. At that time, the FBI said BEC fraud had cost organizations worldwide $12 billion in losses since 2013.
Since then, the threat has continued to grow more dire. Security industry researchers have shown BEC scams are increasing in scope and complexity as attackers perfect their attack playbooks to target an increasing number of victims around the globe.
Here, Dark Reading takes a look at how BEC scams work, the latest statistics on BEC prevalence, and some recent BEC horror stories that should help security professionals and users prepare themselves for this growing class of fraud.
How BEC Works
BEC scams vary, but the general commonality is that they go after well-placed individuals — those who control financial accounts — at both large and small organizations with very targeted spear-phishing attacks. Typically using either email account takeover or spoofing, the bad guys will impersonate a colleague or boss — sometimes the CEO, sometimes a vendor, sometimes a highly ranked individual in another department. They’ll then convince the mark to either transfer money to a fraudster or change details in an existing financial transaction to benefit themselves.
The Fraudulent Activity
Some of the actions the bad guys are trying to trigger include getting their targets to transfer money to an account supposedly held by the company to cover a confidential transaction, paying a phony “unpaid” invoice, or diverting payroll for employees on auto-pay. The scenarios are plentiful, only limited to the creativity of attackers in coming up with a convincing social engineering “hook” that makes sense for whomever the target may be. In many cases, these transactions are sizable, and attackers will do considerable research to come up with a plausible, tailored story.
Crooks Making a Mint
The crooks are making a fortune on these fraudulent transfers, fully embracing the philosophy of the “bigger the lie, the more believable it is” and, in many cases, convincing victims to transfer millions of dollars at a time. Last year a European cinema chain fell victim to a BEC attack that bilked $21.5 million in a series of transfers over the course of a month. The attackers targeted a Dutch regional executive at the firm by posing as the French CEO of the company that supposedly needed funds transferred for an acquisition.
According to security experts such as Crane Hassold, senior director of threat research at Agari, the upside for BEC attackers is huge because, in many cases, it takes very little technical acumen or infrastructure to carry out their attacks. As such, they expect the bad guys to continue flocking to BEC.
“The ROI for BEC is significantly higher than any of the other more technical cyberattacks,” Hassold told Dark Reading. “I think that’s going to be the next step. We’ll see other groups move into this space.”
Significant BEC Increases in the Past Year
That phenomenon of growing awareness from the bad guys is already making itself apparent in recent statistical analysis of BEC attack trends. According to a report earlier this spring by Proofpoint, the number of BEC attacks per targeted organization increased 476% year-over-year in the last quarter of 2018. Meantime, Mimecast found in its 2019 annual report on email security that impersonation and BEC attacks increased by 67%, with 73% experiencing direct losses.
That last point is important to remember, as BEC losses aren’t from damages to systems, downtime, or lost productivity. Instead, these are losses of cold, hard cash. All told, the FBI said that the known total losses for BEC equaled $2.7 billion in 2018
BEC Scammers Love Targeting CFOs and Financial Gatekeepers
While the types of victims vary from case to case, one thing is certain: The bad guys love to go after CFOs and other financial gatekeepers. In fact, one recent report showed that a multinational gang of attackers conducting BEC campaigns would actually seek out companies that sell contact information to marketers about CFOs to fuel its social engineering targeting efforts. This group not only uses the common “unpaid vendor” story to trick victims, but also other subterfuge, such as pretending to be an executive trying to conduct M&A activity who urgently needs a down payment so as not to jeopardize the deal.
From 419 to BEC Scams
A brand new research report from Agari found that for some cybercriminal games, BEC attacks are just a part of the bad guy’s well-balanced breakfast of fraudulent schemes. It highlighted one group called Scattered Canary, which initially started about 10 years ago by a lone Nigerian 419 scammer. Since then it has built up to at least 35 individuals who now make big bucks with BEC scams; they also conduct romance scams, credential harvesting, credit card and check fraud, and tax cons.
No Target Is Sacred
Everyone is fair game for BEC attackers. These criminals have stolen nest eggs from families during real-estate transactions, and just this spring they managed to steal $1.75 million from an Ohio Catholic parishthat was raising money for a church renovation. In that case, the criminals posed as a construction company the church was working for, claiming it had missed payments on the project.