BEC attacks: a low profile but increasingly damaging risk

Published: Friday, 19 July 2019 07:55

In 2018, the costs of Business Email Compromise (BEC) attacks passed the $1 billion mark, doubling from the prior year. Crane Hassold looks at the issue and highlights the measures that organizations can take to reduce the risk of becoming a victim of a successful BEC attack.

It seems that hardly a week has gone by in recent years without a major cyber security incident dominating the headlines. While this exposure is partly due to an increasingly bright spotlight being shone on the issue by a more engaged business and media community, unfortunately all evidence does point to a worryingly steep increase in incidents as well.

The results of the latest Internet Crime Complaint Center (IC3) report is just one of the many examples of this trend in action. The IC3 is an annual report published by the FBI recording all of the many different types of internet-based crimes that were reported over the previous year.

The latest report, published in May, found that victims around the globe lost a staggering $2.71bn to cyber crime. This figure accounts for all forms of cyber crime, from lottery scams and gambling fraud to hacktivism and malware attacks. Email-based cyber crime is one of the most prominent elements of the report, with email being the medium of choice for delivering cyber attacks, from phishing scams to serious malware infections such as ransomware.

The incredible cost of BEC

One of the most significant types of email crime is Business Email Compromise (BEC), which involves impersonating a trusted business contact to deceive an organization. A successful BEC attack can deliver an enormous payday for a cybercriminal, with a single attack potentially netting tens of thousands, of even millions.

The volume and severity of these attacks has increased rapidly in recent years, and the IC3 report began recording BEC as a separate category in 2015. The inaugural report with separate BEC numbers recorded the total financial impact as $246m. As a sign of just how lucrative these attacks are, BEC was recorded as having the highest impact in dollars lost, but was just 17th in terms of the number of victims.

From then on, IC3 recorded an exponential increase in the financial impact of BEC attacks. 2016’s report saw total BEC losses of $360m, which nearly doubled to $675m in 2017. Incredibly, this figure doubled yet again to exceed $1.3bn in 2018. This cost is spread across 20,000 victims, with BEC raising to number six on the list by total victim count. With the IC3’s total recorded losses to cyber crime standing at $2.71bn over the last year, this means that BEC attacks account for almost half of all reported loses.

Why are BEC attacks so dangerous?

The exponential increase in incidents and costs is staggering – but unfortunately not surprising. In fact, with the way the criminal community has been continually developing and refining its techniques, I’m only surprised that the figure isn’t even higher.
To comprehend why BEC is claiming such a remarkable toll, it is important to understand how the attacks are carried out and why they have been so successful at evading email defences.

One of the main advantages of BEC attacks is that they deal in pure deception rather than attempting to deliver a malicious payload. This means that they are invisible to most traditional security tools, as there is nothing to detect. The fraudster will look to mimic a genuine email as closely as possible, which means there are also no keywords that will trigger traditional filters. These factors mean that a well-crafted BEC email will generally have a much higher chance of making it to the intended victim’s inbox without being intercepted.

Once they get there, these malicious fakes also have an elevated chance of fooling their target. The signature technique of the BEC attack is to impersonate a known and trusted authority figure. Unlike most phishing campaigns, which tend to be generic mass-mailouts sent to tens of thousands of addresses, BEC attacks are highly targeted. The more talented and dedicated criminals will take pains to research the target company, including hierarchy and duties of the intended victim and impersonated individual. However, even a relatively slim layer of deception will often do the trick.

Alongside this, the most common deception tactic is to combine an authority figure with a sense of urgency. For example, a message sent to a member of the finance team may purport to be from the company’s CEO, who says they are traveling but urgently need help transferring funds to an important client. Once the target takes the bait, the scammer will provide bank account details and pocket the funds before the fraud is detected. The criminals using this tactic hope that the element of pressure will cause the victim to overlook normal procedures around authorising payments. After all, most employees would be reluctant to defy an urgent request and risk angering their bosses.

The business of BEC

We have encountered many criminal groups employing a level of organization comparable to the marketing and sales efforts of a legitimate business. One such example is a gang we have dubbed London Blue, which chiefly appears to be based in Nigeria but has operatives around the world.

The gang has developed a highly refined strategy which begins with using the same commercial lead-generation services commonly used by genuine businesses. This enables the group to gather the details of hundreds of thousands of potential victims across the globe. In the course of investigating London Blue, Agari identified a list of more than 50,000 corporate financial officials that was generated during a five-month period in early 2018.  The list was largely made up of CFOs, and the target companies ranged from small businesses to multinationals spread across 82 different countries.

Organized criminal gangs like London Blue have also made rapid strides into automating their outreach. Again, using commercially available email tools, it is relatively simple to send a customised email message to thousands of potential victims at a time – combining the power of a targeted email with the reach of a phishing campaign.

How criminals escape with their loot

As fraud gangs have become more organized, they have also developed new strategies for receiving the proceeds of their scams. Cashing out can actually be one of the most difficult elements of cyber crime, as illicit money can leave a paper trail that will be followed by investigators.

One of the most popular strategies we have encountered is the use of gift cards for services such as iTunes and Google Play. Rather than asking for a direct bank transfer, the scammer will ask their target to buy the equivalent value of gift cards instead. This approach is likely to raise a few more eyebrows than simply asking to transfer funds directly, but convincing scammers can concoct scenarios such as corporate hospitality or birthday gifts and rely on their borrowed authority to do the rest.

The victim can then simply send over a photo of the unique code on the back of the card, and the scammer can access the funds. The balances are usually transferred into bitcoins using legitimate peer-to-peer marketplace services like Paxful, and the ill-gotten gains will then be laundered with a quick series of complex trades between different accounts.

In one notable case, a gang we dubbed Scarlet Widow was able to scam an Australian university out of $1,800 and complete the entire process in just two hours.

Defending against BEC

While BEC attacks pose a considerable threat, there are several steps that organizations can take to defend themselves – many of which relate back to basic best practice around email security.

A good starting point for reducing the risk of BEC attacks is to implement DMARC (Domain-based Message Authentication, Reporting & Conformance)  - a free-to-use email authentication standard. DMARC will help to identify emails that have a mismatched sender ID, one of the tell-tale signs that an email sender address has been spoofed to appear legitimate. DMARC can be set to automatically reject suspicious emails or quarantine them for future inspection.

Implementing DMARC will go a long way to mitigating the threat of BEC emails, robbing the fraudsters of one of their most reliable deceptive tactics. With DMARC in place, organizations can further supplement their defensive abilities with security tools that can automate the process, as well as spotting more subtle signs of deception such as mismatches in sender location and device.

User awareness can also go long way to combating the threat of BEC attacks. While a company should never expect its employees to be able to identify a well-crafted fraudulent email hidden among all the legitimate ones, they receive every day, a well-informed employee can make a difference in shutting down a scam. Organizations should consider conducting awareness campaigns to cover the most common tactics and the correct procedure for dealing with suspected scams. Following the proper processes for important activities like authorising payments or sharing sensitive data will also help to limit the chances of a scammer succeeding. For example, demanding that all employees always confirm fund transfer requests and purchases over the phone will shut down the common “traveling, can’t talk now” tactic.

Despite all their tricks, our research has found BEC emails still have a success rate around one percent. However, with an increasing number of highly organized gangs now sending out thousands of targeted BEC emails at a time, this low success rate still encompasses a lot of victims.

With losses doubling over the last year, it is clear that the cybercriminals have the initiative over the defending companies. Further, while advanced ransomware and other malware attacks often gain the most attention, the success of BEC attacks has shown that fraudsters can cause far more damage with relatively simple tactics. Organizations must ensure they have the ability to detect the most common signs of BEC attacks if they are to avoid joining the statistics in next year’s IC3 report, when figures will probably double again.

The author

Crane Hassold is Senior Director, Threat Research at Agari.