Business E-mail Compromise (BEC)

The digital revolution has brought many benefits to our society. One of the early innovative technologies was e-mail, which has become an imperative method of business communication. E-mail is fast, cost-effective, accessible, and convenient. By using e-mail, businesses can efficiently and reliably transfer electronic data (MS Office documents, photos, and data sheets).

Despite the great benefits of e-mail, it is still the preferred method used by cybercriminals and fraudsters to conduct different types of cyberattacks. Here are some statistics offered by purplesec concerning cyberattacks delivered via e-mail:

• 92% of malware is delivered by e-mail
• In 2019, phishing e-mails delivering ransomware increased 109% over 2017.
• Business E-mail Compromise (BEC) scams cost organizations $676 million in 2017.
• Spear phishing is reported by businesses to be used in 91% of successful data breaches.
• E-mail compromises cost on average $24,439 per case.
• 20% of healthcare domain e-mails were fraudulent in 2017.

Most cyberattacks rely on social engineering to convince the victim to install malware through an e-mail attachment or by visiting a compromised website housing an exploit kit. The most common method used by cybercriminals to initiate a social engineering attack is via phishing e-mail.

As we note from the previous statistics, the popularity of e-mail makes it the primary vehicle used by cybercriminals to conduct various malicious activities. The most prominent attacks using e-mail are BEC and phishing.

This article will shed light on the BEC scheme, mention its types, and suggest countermeasures.

What is BEC?

BEC, also known as E-mail Account Compromise (EAC), is a type of e-mail scam targeting organizations and individuals working in wire transfer payments. This type of attack is commonly carried out when an adversary compromises legitimate business e-mail accounts through social engineering or malware attacks. The compromised accounts are later used to make an illegal transfer of funds. Some BEC attacks do not aim to transfer funds; instead, they request Personally Identifiable Information (PII) or other sensitive tax information from the victim.

Attackers use social engineering attacks, such as phishing and spear phishing, to compromise target e-mail accounts. Malware such as keylogger and spyware are also used to infect victim devices to record everything he/she types on the keyboard, including e-mail account credentials.

Victim accounts are commonly employees involved in wire transfers (such as the finance department) or executives who can issue transfer payments.

Before executing phishing attacks, adversaries conduct comprehensive searches about their targets. They use Open Source Intelligence (OSINT) techniques to collect information about their targets from publicly available sources such as social media platforms and public databases. The acquired knowledge is used to customize attacks against targets (customizing spear-phishing e-mails).

BEC is a real problem for organizations. According to the FBI, it has cost businesses about $12B from October 2013 to May 2018.

BEC scam types

The FBI groups BEC into five types:

1. False Invoice Scheme: enterprises having foreign business partners (suppliers) are commonly targeted using this scheme. Attackers pretend to be foreign suppliers and request payments to their accounts (fraudulent accounts).

2. CEO Fraud: Adversaries pretend to be the CEO or other high-level executive in the target company and send an e-mail to the finance department requesting payments to be made to the attacker's account.

3. Account Compromise: An employee's e-mail account is hacked and used to send invoices to the finance department requesting payment to be made to an account controlled by the attacker.

4. Attorney Impersonation: As the name implies, the attacker pretends to be a lawyer or a representative of a law firm that has worked with the target company. The attacker requests payment to be made urgently to his bank account. Such attacks are made at the end of the workday when C-level employees have left work.

5. Data Theft: The purpose of this attack is not to make wire transfers. Instead, it works to acquire PII or other tax forms and sensitive data to use them in future attacks.

As we note, most BEC scams do not require the installation of malware, clicking a malicious link, or downloading attachments. This makes stopping this type of attack by standard cyber defenses, such as Firewall and antivirus, nearly impossible. Cybersecurity awareness training of employees is imperative to stop these types of attacks.

Protection against BEC

As mentioned before, detecting BEC using traditional solutions is nearly impossible. However, there are a set of countermeasures to lower the attack surface exploited by adversaries.

• Do not use free web-based e-mail accounts for business.
• Enable Multi-Factor Authentication (MFA) for important business e-mail accounts. By enforcing MFA, attackers will find it too difficult to hack someone's e-mail account and not launch a BEC attack.
• Ignore e-mails sent from unknown parties and be especially diligent when receiving an e-mail that requests payment or transfer of funds. Always question the legitimacy of the request and err on the side of caution. A healthy dose of paranoia can go a long way to prevent BEC.
• Prevent domain spoofing by purchasing all domain names that are too close to yours. For example, if your company domain name is darknessgate.com, an attacker may register the following domain name, "darknessgaate.com" and send fraudulent e-mails from it.
• Investigate the sender's e-mail address very carefully. For example, john@abs-company.com is different from john@abs_company.com
• Keep your private information secure and not overshare your details online, especially on social media platforms. As mentioned before, attackers leverage OSINT tools and techniques to harvest information about their target before launching their social engineering attack, leading to a BEC.

Summary

BEC is a growing problem globally; statistics clearly show significant losses due to this type of attack. Educating your employees about cybersecurity attacks and teaching them the primary methods used by cybercriminals to launch BEC attacks remain the primary defense method.