Business e-mail compromise (BEC) attacks are a type of fraud that involves impersonating a representative from a trusted business. According to Verizon, it was the second most common type of social engineering attack in 2021, and the FBI reported that BEC attacks cost U.S. businesses more than $2 billion from 2014 to 2019.
Kaspersky experts are increasingly observing BEC attacks. In Q42021, Kaspersky products prevented over 80000 BEC attacks, with the greatest number (5037) occurring in October.
Throughout 2021, the company’s researchers closely analyzed the way fraudsters craft and spread fake emails. As the result, they found out that the attacks tend to fall into two categories: large-scale and highly targeted.
The former is called “BEC-as-a-Service”, whereby attacks simplify the mechanics behind the attack in order to reach as many victims as possible. Attackers sent streamlined messages en masse from free mail accounts, with the hope of snaring as many victims as possible. Such messages often lack high levels of sophistication, but they are efficient.
An example of mass-scale CEO scam
The above message is an example of mass-scale CEO scam scheme. In this scenario, an employee receives a fake email from a more senior colleague. The message is always vague telling that one has a request to handle. A victim may be asked to urgently pay off some contract, settle some financial conflict, or share sensitive information with a third party. Any employee may potentially become a victim. Of course, there are several noticeable red flags in such a message. There is no corporate account used, and the sender clearly is not a native speaker.
At the same time that some criminals are relying on simplified mass mailouts, others are turning towards more advanced, targeted BEC attacks. The process works as follows: attackers first attack an intermediary mailbox, gaining access to that account’s e-mail. Then, once they find a suitable correspondence in the compromised mailbox of the intermediary company (say, financial matters or technical issues related to work), they continue the correspondence with the targeted company, impersonating the intermediary company. Often the goal is to persuade the victim to transfer money or install malware.
An example of targeted BEC attack
Since the target is, in fact, engaging in the conversation referenced by the attackers, they are far more likely to fall victim to the scam. Such attacks have proven to be highly effective, and that’s why they’re not only used by small-time criminals looking to make a quick profit.
‘Right now, we observe that BEC attacks become one of the most spread social engineering techniques. The reason for that is pretty simple - scammers use such schemes because they work. While fewer people tend to fall for simple mass-scale fake emails now, fraudsters started to carefully harvest data about their victims and then use it to build trust. Some of these attacks are possible because cybercriminals can easily find names and job positions of employees as well as lists of contacts in open access. That is why we encourage users to be careful at work’, comments Roman Dedenok, security expert at Kaspersky.
‘Email remains the primary communication channel for most enterprises due to its widespread use. With no replacement on the horizon, it will remain so for years to come. But as remote working practices and cloud storage become the new norm, along with the growth of poor digital hygiene, we foresee the emergence of new scam methods leveraging these gaps in enterprise security. With less control over endpoint security, IT/IT security admins tend to get stressed even if they receive a successful blocking message from EPP. A good example of this is email-borne threats reaching the endpoint level, which can occur when using bundled “good enough” email security from telco or cloud mail provider. Using a specialized security solution and a well-tested technology stack, backed with quality threat data and machine learning algorithms can really make a difference,’ – adds Oleg Gorobets, Senior Product Marketing Manager at Kaspersky.
Learn more about the methods scammers can use victim’s public data to target organizations on Securelist.
To avoid falling victim to BEC attacks, Kaspersky experts recommend companies:
Encourage employees not to think twice and carefully check each email asking for payment or any sort of personal or corporate data. Explain them not to publish confidential corporate data on systems with open access, for example, cloud services. They also should not share too many details about their work with a wide range of people.
Educate employees to counter social engineering. A gamified training and workshops train employees to be vigilant and identify BEC attacks that get through other layers of defense.
Use security tools to protect corporate communication channels such as Kaspersky Secure Mail Gateway with the solid set of anti-phishing, anti-spam, malware detection technologies. While BEC represents one of the most sophisticated types of email compromise, the product have dedicated heuristic model for processing indirect indicators and detect even the most convincing fake emails.