Business Email Compromise – BEC – attacks uses false emails allied to other social engineering tricks to defraud business, public sector and other organisations, most often by tricking employees into raising, authorising, and making payments into accounts of cyber criminals and their cohorts. BEC – known also as ‘CEO Fraud’ and ‘whaling’ (i.e., ‘big phish’) – attacks target specific employee roles within an organisation by sending a spoof emails that maliciously pretend to represent a senior executive (CEO, CFO, etc.) or a trusted customer. The email will contain requests and instructions, such as the initiation and approval of payments or maybe the release of valuable data.
“BEC is designed to bypass traditional security filters,” explains Bharat Mistry, Principal Security Strategist at Trend Micro. “It does this by virtue of the fact that threats typically don’t contain malware at all. Instead, it relies on either spoofing the [email] of a senior executive or hacking/phishing their email account and using it to send finance staff a request for immediate fund transfer. From then on, it’s all about using classic social engineering tricks to get the desired outcome – creating a sense of urgency which forces the recipient into acting without thinking.”
The impact of BEC attacks have on commercial sector around the world is growing significantly – especially when gauged against other forms of attack and loss that most businesses are subjected to. Between May 2018 and July 2019, the FBI’s Internet Crime Complaint Centre (IC3) saw a 100% increase in identified global exposed financial losses: the IC3 recorded 166,349 BEC incidents which resulted in victim losses of €23,613,082,890 ($26,201,775,589) – that’s no mean sum.
“BEC is a serious threat on a global scale,” FBI Special Agent Martin Licciardo, Special Agent at the FBI’s Washington Field Office, has commented, “and the criminal organisations that perpetrate these frauds are continually honing their techniques to exploit more unsuspecting victims.”
BEC attacks have “fast become a persistent hazard for businesses,” agrees Tim Sadler, CEO at Tessian: “Taking advantage of the sign-off power senior executives have over substantial payments, hackers are executing highly-effective and targeted attacks, often imitating known contacts to convince individuals to wire money into a bank account belonging to the wrongdoer.”
Little wonder, then, that BEC has become such an increasingly popular form of cyber crime. It’s reasonably straightforward to set-up an attack, and you don’t have to possess particularly adept technical skills to pull off a successful scam; chances of being caught are low and, as mentioned, the loots can be high.
Three instructive examples of Stateside BEC attacks are worth review:
- In April 2017 a BEC attack cost Southern Oregon University €1.71m ($1.9m) in unrecoverable funds supposed to go to a building contractor engaged on one of the university’s construction projects. Cyber suspects allegedly posed as the contractor in an email, prompting officials to send their quarterly payment to a fraudulent bank account. University financial administrators made the payment and requested confirmation of receipt. Some three business days later the construction company reported it did not receive the remittance; but it looks like BEC scammers did.
- In May 2019 Scott County Schools in Kentucky announced that it was the victim of a major BEC attack that resulted in a loss of €3.34 ($3.7m). The school was notified by a vendor that a recent invoice was outstanding. Further investigation revealed payment had been made, just not to the vendor in question. An email had been received that appeared to be from the vendor, which included forged documents and details of a bank account that was controlled by the scammer. The FBI was contacted, and attempts are being made to recover the funds.
- A few days later in May, St Ambrose Catholic Parish in Brunswick, Ohio, was a victim of a BEC attack that resulted in the fraudulent transfer of €1.58 ($1.75m) from the Church’s renovation fund. The scam was a virtual restage of the Scott County Schools BEC attack. The church was contacted by its contractor after not having had invoices paid for two months. The church was under the impression that the payments had been made to schedule. The funds had indeed left the church account, but had been directed elsewhere. An investigation into the BEC attack revealed hackers had gained access to the St Ambrose Catholic Parish’s email system and altered the contractor’s bank and payment transfer details.
BEC attack activity showed a 28% increase from 2017, according to figures from Trend Micro’s 2018 report, Caught in the Net: Unravelling the Tangle of Old and New Threats. While the overall number of these email-based attacks was low, the danger lies in how effective each singular attempt could be if successful. Whereas phishing attacks are generally launched against a wide swathe of possible victims, more research by the cyber criminal goes into each BEC attack to increase the likelihood of targeted employees being unsuspecting dupes.
Trend Micro’s research found that CEOs were the most targeted (in terms of spoofing) executives at 32%, followed by directors (29%), company presidents (10%), managers (6%), chairpersons (3%) and others (20%). The research also suggests (not surprisingly, perhaps) that more BEC attempts were seen in countries considered as international business hubs. Australia (33.9%), the US (29.6%) and the UK (15.1%) were the top three nations. (Data refers to the number of BEC attempts seen, which does not indicate whether the attacks were successful.)
The use of actionable keywords and reference terms indicates how BEC attacks rely on conditioned responses from the recipients of bogus business communications. A study of BEC trends by Symantec looked at the 10 most popular keywords used in BEC emails in the last 12 months (2018-2019). Almost all of the ‘call-to-action’ keywords are meant to snag the attention of the recipient or induce a sense of urgency with finance-related themes.
‘Transaction request’ topped the list with 39,368 instances observed, followed by ‘Important’ (37,477) and ‘Urgent’ (33,391). Other terms include ‘Request’, ‘Info’ and ‘Attention’. There were three iterations of ‘Payment’ that rounded up the top 10: ‘Payment’, ‘Outstanding payment’ and ‘Notification of payment received’. BEC scams targeted at the UK and the US were mostly labelled ‘Important’, while most BEC scams directed at Spain, France, and Germany, and Australia had payment-related themes.
The vertical sectors BEC attacks are targeted at reveal where perpetrators believe the biggest susceptibilities are to be found. Beazley’s 2018 ‘Breach Briefing’ has also corroborated a sharp increase in the number of BEC attacks in specific types of businesses. According to its findings, BEC accounted for 24% of the overall number of malicious cyber incidents reported to Beazley Breach Response (BBR) Services in 2018, compared to 13% in 2017.
‘The target of the fraudulent instruction is most often a trusted business partner or someone with internal authorisation to make [payments] on behalf of the victim organisation,’ states the report’s authors. ‘For instance, we often see these incidents occurring in a real estate transaction, where lawyers, real estate agents, and title or escrow companies are frequent targets and the cyber criminal can exploit the short timeframe for the closing to take place. In a recent incident, the cyber criminal compromised a broker’s email and sent revised wire transfer instructions, diverting the closing payment’.
Furthermore, BEC attacks are evolving as perpetrators start to apply a little lateral thinking and sophistication to their scams. The FBI’s Internet Crime Report 2018 notes that whereas in 2013, BEC scams routinely began with the hack or spoof of the email accounts of CEOs or CFOs, through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for tax status information, and the targeting of the real estate sector.
In 2018, the FBI’s Internet Level Complaint Centre – IC3 – received an increase in the number of BEC incidents that requested victims to purchase gift cards. The victims received a spoofed email, a spoofed phone call or a spoofed text from a person in authority requesting the victim purchase multiple electronic gift cards for either personal or business reasons. The gift cards were then used to make purchases before the scam is detected.
This trend was also tracked by Symantec. Its Security Response team observed that the 10 top themes carried by BEC emails in the last 12 months include: Apple iTunes gift cards (physical) to employees (the scammer requests the potential victim to buy Apple iTunes physical gift cards from a store – the scammer states that these cards will be distributed among employees of the same organisation); Apple iTunes e-gift cards to employees (the scammer requests the potential victim to buy Apple iTunes e-gift cards for employees); and Amazon gift cards (the scammer requests the potential victim to buy Amazon gift cards); Generic gift cards for clients/partners (the scammer requests the potential victim to buy physical gift cards to be distributed to partners).
BEC attacks are acutely frustrating for defensive enterprise IT security practice. Unlike viruses, Trojans and other forms of malware, the email component of BEC does not ‘advertise its presence’ to antivirus and threat detection systems. As cyber security firm Proofpoint’s Q1/2019 Threat Report points out, highly-targeted, low-volume BEC attacks often have no payload at all and are thus difficult to detect for automated safeguards.
More headaches follow for cyber governance officers. BEC victims are also confronted with having to go through a potential data breach analysis to ensure that any email compromise has not impacted Personally Identifiable Information (PII) or Protected Health Information (PHI) compliances.
Abundance of target data available from legit sources
According to a January 2019 blog post by Agari Data – ‘BEC-as-a-Service Trend Means Just About Anyone Can Launch an Attack’, there are multiple factors that make BEC the scam of choice for cyber criminals. They are mostly related to the abundance of inexpensive or free data available to prospective scammers. Cyber criminals can save time collecting data on executive chief officer role targets with the purchase of lists from legitimate lead-generation database firms that more ordinarily serve legitimate commercial marketers. These large sets of validated data can also be used to send fraudulent emails.
For BEC attackers with reduced budgets, Agari Data goes on to report, there are plenty of stolen email addresses and passwords for sale on the dark web. The ongoing stream of data breaches feeds into this pool of stolen data, with 4.5bn compromised records in the first two quarters of 2018 alone. Weak email passwords and lax email archive security add to the problem, as do the necessity to publish some named email addresses into the public domain.
For would-be cyber criminals just starting out, and without the ready monies to buy a marketing list or the tech know-how to harvest their own target data for free, there are many dark web habitués who are ready to do the ‘heavy lifting’, and reportedly offer to compromise email accounts for fees as low as €135 ($150) or a percentage of the BEC fraud’s proceeds. The service providers make money, their clients get a passive stream of fraudulent income, and the victims continue to have funds stolen.