The state of BEC in 2021 (and beyond)
Ransomware has made major cybersecurity story headlines in the past 12 months. Therefore, a lot of focus and corporate resources are spent on mitigating the risk of ransomware. And rightly so.
But another threat that has been around for a long time is just as damaging to a business: this is the specter of Business Email Compromise or BEC.
See Infosec IQ in action
The impact of BEC
Ransomware makes headlines because of the acute impact on an infected business and the often massive ransom demands. The biggest ransom in 2021 was the $50 million demand from the ransomware attack on Acer. By comparison, BEC is seemingly less impactful, with losses in the region of hundreds of thousands rather than millions of dollars. However, exceptions to this are common, with one company filing a complaint with the Internet Crime Complaint Center (IC3) when they realized they had sent a wire transfer for $60 million to a fraudster: the money was subsequently traced and returned by the IC3 Recovery Asset Team (RAT).
The 2020 FBI Internet Crime Complaint Center (IC3) report found that the number of BEC crimes (19,369) was around four times the number of reported ransomware attacks (2,474).
The amounts involved in the crime were also notable. BEC losses amounted to around $1.8 billion, whereas ransomware costs were $29.1 million. Even adjusting for the number of attacks of each type of cybercrime, ransomware was still, overall, less costly than Business Email Compromise.
Business Email Compromise (BEC) and its cousin, Email Account Compromise (EAC), are complicated crimes that involve several key components to make an attack successful. BEC/EAC fraudsters want your company's money. To get at that money, they target a business and use intelligence and reconnaissance tactics to understand how it operates.
The key to understanding BEC/EAC is that these crimes are people-centric and rely on compromising email accounts to initiate the money transfer. Like the “sting” of old confidence tricks, BEC/EAC is about people tricking people.
The BEC fraudsters use some traditional cybercriminal techniques such as phishing, social engineering and credential stuffing. These techniques are part of the overall cyberattack chain used to collect identity details and trick an employee into transferring money to a fraudster's bank account.
The recent trends in BEC/EAC show that fraudsters are changing tactics. Whereas they may have spoofed C-Level email accounts in the past, they have expanded their net to include spoofed victims across the business ecosystem.
Trends in BEC fraud
Typical elements of a BEC crime are subject to change when the fraudsters behind a BEC attack see fit. Cybercriminals keep watch of technology and market changes and use these to adjust tactics. Trends in recent years have seen BEC fraudsters extend their email compromise to include the vendor ecosystem of a target business and use stolen W-2 information to build attack intelligence. Any system that offers the fraudster data intelligence to feed back into an attack chain is at risk of compromise/theft.
Some of the latest trends discussed by IC3 in their 2020 report show this ‘track and change’ mode of operation:
Changes that impact businesses such as remote work and market themes
A report from Mimecast found that BEC crime increased by one-third in the first 100 days of the pandemic. BEC fraudsters take note of market trends and drivers. During COVID-19, for example, they used pandemic themes to create phishing templates. The COVID-19 pandemic has shifted the workplace from always in the office to sometimes at home. At home, working has meant that email communications have become more important than ever. Staff is no longer in the same office, never mind the same room. It becomes easier for cybercriminals to rely on mistakes being made and fewer cross-checks available.
As companies continue to accept home working as the new normal, BEC tactics must become part of an ongoing security awareness discussion with employees. In addition, policies and processes need to consider BEC with remote working practices reflecting the risk level of BEC to given employees and departments (such as payments).
Mosaic cybercrime tactics
A mix-and-match approach to committing wire fraud (BEC/EAC) has been identified by IC3 as a new BEC tactic. Other frauds, such as identity theft and romance scams, deliver the data intelligence needed to propagate a BEC scam. One such scam was observed to use stolen identity information; identity data was used to create a bank account to move the funds from an illegitimate wire transfer before being transferred into a cryptocurrency account.
Identity theft is a long-reaching cybercrime. For example, if identity data is verifiable, it can be used to open bank accounts. This offers the fraudster a powerful way to commit crimes that are difficult to detect because of the assurance of the underlying identity. Identity systems must recognize this use of verified identity data and counter-fraud checks during transactions. The banking system, Know Your Customer, and due diligence (KYC/CDD) processes must also be hardened against identity misuse.
Cryptocurrency
Cryptocurrency provides a mechanism to hide stolen funds, making tracing and recovering those monies hard. In April 2021, the FBI’s IC3 warned of the increasing use of cryptocurrency accounts in BEC fraud. The agency identified two main types of transfer, “Direct” and “Second Hop.”
Direct
This method depends on the fact that Cryptocurrency Exchanges (CEs) hold accounts with traditional financial institutions (FIs) to facilitate trading/exchanging on behalf of customers. The victim is scammed in the traditional way using a spoofed or compromised email. The money is transferred and then moved into a cryptocurrency wallet.
Second Hop
This scam relies on the use of identifying documents stolen via romance scams, extortion etc. These scams result in the fraudster having access to identity documents such as a passport, driver’s license etc. These documents are then used to set up custodial bank accounts to receive BEC funds transferred to a CE.
The IC3 presents several mitigating measures to use to protect against a BEC scam. These include using robust authentication when account changes are made and hypervigilant on security awareness and phishing tricks.
Deep fakes and AI
An alleged case of deep fake technology in a BEC scam was already noted in 2019. The case involved a CEO being tricked into transferring $240,000 because he heard what he thought was his parent company boss but was a fake voice. It is only a matter of time before deep-faked identity is regularly used to trick employees and individuals into transferring money or circumvent a bank KYC/CDD processes to create bank accounts for fraudulent transfers. Researchers have already created “master faces” to bypass facial recognition. Researchers state that they can use the technology to impersonate around 40% of the population. And this technology is predicted to be extensible to circumvent the liveness tests used as the industry standard to prevent fraud.
Deep fakes and AI technologies are proving to be a hard security nut to crack. While work is being carried out to improve detection, it may well come down to vigilant business processes and checks to prevent an AI-enabled BEC scam.
Phishing simulations & training
Breaking the trust in money flows
BEC fraudsters break the trust in the money flow chain of a business. Fraudsters will use any tactic that fits the bill and apply a mix-and-match approach to BEC fraud. Cyber fraudsters will watch and learn as the market and business evolve. They will use emerging technologies to perform the basic acts needed to trick employees and individuals. The use of artificial intelligence in the form of deep fakes to commit BEC fraud is not a case of if the technology is used, but when.
As potential victims of BEC crime, businesses need to remain vigilant and understand the types of existing and emerging tricks used by fraudsters. This intelligence will help your organization build processes and structures to help employees spot potential fraud before any money is moved.
For more advice, read our article, How to prevent business email compromise.
In this Series
- The state of BEC in 2021 (and beyond)
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
