While businesses are busy trying to protect themselves against ransomware attacks that spark headlines news, threat actors are sticking to one of the oldest and most effective hacking techniques—business email compromise (BEC).
Enterprise security has skewed toward ransomware in recent years, but FBI data highlights that enterprises in aggregate are losing 51 times more money through BEC attacks. In 2021, BEC attacks in the US caused total losses of $2.4 billion, a 39% increase from 2020. In contrast, at the same time, companies in the US lost only $49.2 million to ransomware.
While the average financial loss from a BEC scam is much lower than the average ransom requested in a ransomware attack, email compromises are technically easier to implement. The result is that business email compromises far outnumber ransomware attacks.
Business email compromise arises when criminals access the email account of an otherwise trustworthy employee, says Paul Ducklin, principal research scientist at Sophos. “The problem here, unlike traditional phishing attacks, is obvious: the fake messages devised by the crooks actually do come from that employee’s real email account. Worse still, the crooks get to read that person’s messages before they do, so that if you send an email to query strange requests that they make, or even to ask them outright if they are in control of their account, then the crooks simply delete those messages and reply in a reassuring way. As a result, the true recipient never sees the warning signs, and you never find out the truth.”
In 2021, the FBI’s Internet Crime Center received 19,954 BEC complaints. It initiated action on 1,726 BEC complaints involving domestic to domestic transactions with potential losses of $443 million. A hold was placed on approximately $329 million—typically by identifying and freezing the bank account used by the hackers, so that no money can be withdrawn.
Ransomware continues to overshadow BEC attacks
If BEC attacks are indeed so widespread, the obvious question is why we don’t hear about them more often. One of the reasons is that businesses rarely report such attacks.
“We will continue to see unreported attacks even in regulated countries. If you report the attacks, you realize it’ll impact your business in catastrophic ways,” says Garrett O’Hara, chief field technologist at Mimecast. “Many countries that have mandatory reporting have categories where most small and medium businesses don’t fall under the purview of mandatory reporting. And even the ones that fall under the purview of mandatory reporting, feel they are better off paying fine than to report these incidents.”
The figures involved in ransomware are also greater, and tend to be more attention-grabbing. The average ransomware demand stood at $2.2 million in 2021, according to Palo Alto Networks, while the FBI reports that the average cost of a BEC scam stood at about $120,000 in 2021.
“BEC is embarrassing, and you may lose some money, but ransomware is an existential crisis. Most companies therefore look at BEC as a regular theft. Ransomware executed well grinds a business to a halt. Servers can be locked, patients can be denied vital healthcare, all critical systems can be locked,” O’Hara said.
BEC attacks can be extremely easy to execute
To execute a BEC scam, hackers gain access to email accounts of senior company officials through social engineering techniques, and then just ask the accounts department to make a payment to a particular vendor. In this case, the vendor can often be a legitimate vendor and the invoice can look identical to an earlier invoice from the same vendor. The hacker just changes the account details and since the email is coming from top management, the accounts team doesn’t question the transaction.
The attacker, therefore, doesn’t even need to exploit any security vulnerability, does not have to write any code (in most cases) and sometimes can execute the scam without deep computer skills.
On the other hand, to execute a ransomware attack, the attacker needs to find vulnerabilities in the target’s computers or servers, gain access to the target laptops or servers, encrypt all the files and then demand a ransom—a relatively complex process.
The ease of executing BEC attacks has therefore been the biggest challenge in containing them. A typical target for BEC is a company that has high number of financial transactions—essentially any company that is transferring money regularly. That creates ample opportunity for BEC attacks.
With the advent of remote meetings over the past few years, fraudsters are targeting virtual meeting platforms to hack emails and spoof the credentials of senior leadership team to initiate the fraudulent transfer of funds, according to the FBI’s most recent annual internet crime report. These funds are then immediately transferred to cryptocurrency wallets or mule bank accounts, and quickly dispersed, making recovery efforts more difficult.
“BECs focus on mass attacks, unlike ransomware attacks that are highly targeted and therefore require a lot of work. We see for BEC scams, hackers are targeting a lot of SMEs, which is 80-90% of businesses. That’s a lot of targets. On the other hand, ransomware attacks are typically targeted at MNCs (multinational companies) and their third parties. Attackers also use BEC toolkits to execute some of these scams,” says Ian Lim, field chief security officer for Asia Pacific at Palo Alto Networks.
Palo Alto’s Unit 42 division has been tracking BECs for several years and had even worked with Interpol in a recent counter-BEC operation that led to the arrest of 11 Nigerian nationals, many of whom were participating in BEC scams since 2015. The investigation found out that the profile of attackers has also evolved with time. Many of the attackers were found to be IT graduates who see BEC scams as easy and lucrative career options.
Companies will need AI tools to combat BEC scams
Hackers are now using advanced techniques to execute their BEC scams, including “cousin domains”— a website with a deceptively similar name to another website—or “identity mimicry,” wherein the domain used looks very similar to a legitimate website. Such domains can scam users by prompting them to enter their personal information.
“You need AI tools to identify these techniques through digital trails. AI tools can also track the language used in the emails to flag any anomalous behavior,” Mimecast’s O’Hara says.
One of the biggest challenges that companies face in trying to defend against BEC scams, though, is that the email accounts that are used to carry out these scams are usually legitimate email accounts belonging to senior company officials including CEOs and CFOs.
But simple checks and balances can also go a long way in combating BEC scams, experts believe. “If you notice anything unusual, if anything is unexpected, check and confirm before making any payments. Pick up the phone and validate the request before going ahead with any official financial transaction. You need to have a healthy dose of suspicion,” Palo Alto Networks’ Lim says.
According to O’Hara, building security right into business processes can also help organizations stay protected against such scams. “The process to update bank details for a supplier, for example, need to follow security policies. Same needs to be followed for any new vendor,” he said.
People are your best defense against BEC, Sophos’ Ducklin points out. “Remember: ‘If in doubt, don’t give it out,’ and ‘If you see something, say something.’ If you work in security operations and you don’t yet have a simple, standardised way for staff to report things that don’t add up—e.g. an email address monitored directly by the SecOps team— create one right away. If you think someone’s account might have been hacked, remind your staff not to use that same account to voice your suspicions, whether it’s an email address, a Facebook account or a phone number.”
Copyright © 2022 IDG Communications, Inc.