Here are the 5 types of Business Email Compromise and how you can stop yourself falling for them
It might sound crazy, but cyber attackers sometimes have more hacking success when they just ask a business for money.
This, in essence, is Business Email Compromise. One of the most popular types of phishing scam and one of the most successful.
According to security firm Agari, in the second half of 2017 96% of organisations were targeted by Business Email Compromise attacks. These attacks were primarily successful at making it to inboxes because they didn’t rely on malicious attachments or payloads. Instead, they deceived employees to an impressive level, using social engineering tactics to look as legitimate as possible.
While traditional forms of phishing scams are intent on infecting a business’s IT systems with ransomware, spyware, or various malware, BEC is used to trick employees into handing over money or to perform tasks to get what the hackers want.
And BEC attacks continue to be very successful. The FBI reported last year that between October 2013 and December 2016, businesses across 131 countries were targeted by approximately 40,000 successful BEC attacks, which cost around £3.7 billion in total. In a statement, the FBI said: "The BEC/EAC scam continues to grow, evolve, and target small, medium, and large businesses. Between January 2015 and December 2016, there was a 2,370 percent increase in identified exposed losses. The scam has been reported in all 50 states and in 131 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 103 countries."
But how do you prevent an attack you can’t recognise? The first step is to become aware of what they look like.
These are the 5 most common types of BEC attack…
The way most BEC attacks work is that an attacker will compromise an employee’s (usually high-level executive or above) email account or a publicly available email. Typically, this is done via keylogger malware or standard phishing. The phisher will then spy on the compromised account to work out who initiates money transfers and who asks for them. Once they have got this information they can initiate an attack in one of five common ways.
1. The sham invoice
Also called, “The Bogus Invoice Scheme” this type of BEC attack is usually used when a business has an established relationship with a supplier. The attacker will send an email asking for money for an invoice to be sent to a fraudulent account via a spoofed email or telephone.
2. The fake CEO
This version sees phishers pretend to be the highest-level execs (from CEO to CTO, CIO, CFO) or any individual who typically handles confidential and sensitive information, initiates money transfers, or controls the accounts. Sometimes fraudulent requests for money transfers are sent to a business’s financial institution with instructions to send funds to a bank. Other names for this type of BEC include “CEO Fraud”, “Business Executive Scam”, and “Financial Industry Wire Fraud”.
3. The compromised account
This is a very typical BEC scam where the email account of an employee is infiltrated then used to request invoice payments to bank accounts controlled by fraudsters. In this scenario, emails are sent to several vendors that have been found in the hacked employee’s address list. In this instance, a business may be unaware they’ve been compromised until a vendor checks up on the status of an invoice payment.
4. The Bogus Lawyer
This type of BEC involves a cyber attacker contacting either the CEO or employees of a company pretending to be a lawyer or a representative of a law firm that is handling time-sensitive or confidential matters. The email (or sometimes phone call) will try and pressure the employer/employee into doing something quickly or handling a transfer of money in a secretive manner. These BEC scams may be timed to happen at the end of a day at work when employees are more likely to rush jobs before they leave for the day.
5. The data fake out
In this version of BEC, the email accounts of role-specific employees (more often than not it’s HR) are hacked and used to send requests. These requests are not usually for fund transfers but instead for personally identifiable information of other people in the company, such as executives, which serves as the starting point for a bigger and more devastating BEC attack. The data fake out relies on utilising social engineering rather than system penetration.
Without the proper security solutions and processes, BEC attacks are likely to continue to hit your business at a steadily more alarming rate. As BEC emails rarely include links or have attachments, many traditional gateway systems will struggle to defend against them. For BEC you need stronger protection and multi-layered security solutions.
Here are 7 easily implementable techniques to limit BEC attacks in your business.
1. Rigorously scrutinise all email requests for transfers of confidential information or funds to check they are not out of the ordinary. Know your customer or vendor habits, including details of payments, reasons behind them and the amounts.
2. Register all company domains that are slightly different to your actual company domain to stop potential hackers from using them.
3. Set up and flag emails with extensions that are similar to your company’s email. For example, if your domain is abc123.com, set up flags for email addresses like abc-123.com and so on.
4. Always use multi-factor authentication to transfer sensitive information or money. Make sure you verify changes in vendor payment locations for example. Do not just blindly use numbers or contact email addresses included in an email request.
5. Find a trustworthy and robust email security solution that allows you to flag the common words used in BEC attacks like “urgent”, “payment”, “request”. Your chosen solution should also detect suspect patterns like an email from a local domain to a local domain that has a non-local reply.
6. Utilise a security solution that is well-known and revered for detecting complex and evasive malware used for BEC attacks (such as keylogging). This solution should evaluate threats on hosts and in your traffic network.
7. Educate your employees on the most common types of BEC attacks, how to spot them, what to do when they find them, and invest in regular security training to keep up with the latest cyber attack trends.
At Xenace, we created Phishwise to help SMEs defend themselves against Business Email Compromise. It’s an interactive learning platform for companies to educate their employees on how to spot an attack and what to do to avoid them. For more information visit our website or contact us now for an informal chat.