Business email compromise (BEC) is one of the most problematic phishing threats because it is one of the hardest attack techniques to detect. BEC causes 37% of cybercrime losses reported to the FBI, and over $43bn has been lost due to BEC attacks.
A BEC attack typically involves an attacker impersonating a senior executive or vendor. Once the attacker has impersonated a target or gained access to their email via account takeover, they can send an invoice requesting what looks like a legitimate business payment. Often the attacker will ask for money. But increasingly, they’re using the technique to gain access to personally identifiable information (PII), wage forms, or tax forms.
Stages of a BEC attack
Research
The attacker learns more information about the impersonation target and the person to who the invoice will be sent. They may purchase open-source intelligence (OSINT) from other hackers, or they may search the target’s corporate websites and social media accounts themselves, which can provide valuable information about the target.
Useful information can include the target’s role in the company, their chain of command, the departments that they work for, their vendor relationships, and whether they are a new joiner, or have relationships with new joiners who can more easily be taken advantage of. They will also need to find the target’s email addresses. This may also come from breached data, but it is often publicly available.
Weaponization
An email can be weaponized via spoofing, whereby the attacker disguises their email address and display name to look like a trusted source. Alternatively, the attacker uses spear phishing to get hold of the target’s login credentials and uses these to take over a legitimate account. They can then craft an email containing the fraudulent invoice or request for information.
Evading security
In order to evade email security, attackers try to avoid known malicious links and attachments that signature-based detection tools such as secure email gateways (SEGs) and Microsoft 365 will pick up on. Instead, the attacker relies on social engineering tactics like urgency, insisting on confidentiality, and leveraging the seniority of the person they’re impersonating. If the victim isn’t using email security with natural language processing and linguistic analysis, the attack has a good chance of getting through.
Example of a BEC attack
An attacker is impersonating the CEO of a vendor, John Smith, in an attempt to get an employee of one of their customers, Jane Walters, to pay a fake invoice worth $50,000. They have thoroughly researched John online and conversed with him via email to learn his writing style, which they can then mimic to appear more believable.
The attacker has also researched Jane, the employee they’re targeting. From looking at Jane’s Facebook profile – which is open to the public – the attacker can see that she only works four days per week and takes Friday off to spend with her children. They can also see she is currently working from home.
The attacker wants to impersonate the email of johnsmith-company@gmail[.]com. To trick Jane into believing they are the real John, the attacker has created a new email address – johnsmlth-company@gmail[.]com – that substitutes the ‘i’ in ‘smith’ with an ‘l.’
At 4 pm on a Thursday, the attacker sends Jane an email:
“Hi, Jane,
Sorry to bother you so late on a Thursday, but this is urgent, and I know you’re off tomorrow. Your last payment failed, and we need you to resend it so we can process it before the end of the week. If we don’t receive it by tomorrow, we will have no choice but to cancel our agreement and blacklist your company due to a missed payment.
I have attached the invoice – please make sure it is paid ASAP.
Thanks! John.”
Because the attacker is asking Jane to send them a large and unexpected sum of money, Jane is likely to be suspicious. She may want to confirm with another team member before authorizing the transaction.
To prevent this, the attacker pressures Jane by telling her that the transaction is urgent and that the company may lose an important contract if she fails to make the payment today.
Because the vendor is putting the blame directly on Jane for the payment failure, she feels guilty and embarrassed that she could potentially be responsible for losing one of the organization’s most important vendors. For this reason, she decides not to reach out to her manager to check that this payment is authorized. Because she works from home, it is easy for her to authorize the payment without involving anyone else.
Once she has sent over the money to the attacker, they immediately stop responding to her emails. Jane immediately realizes what has happened – but it’s already too late.
How could the attack have been prevented?
Using a professional email address, double checking the sender’s email address, being cautious on social media, and conducting regular training within your organization are all ways to help prevent BEC attacks. However, these steps on their own aren’t enough.
Many organizations will have a SEG, Microsoft 356 native security, or even both, to help block threats before they reach the mail server. But even these solutions often fail to detect sophisticated scams such as BEC.
To prevent BEC attacks, organizations should augment their defenses with an integrated cloud email security solution (ICES). ICES solutions like Egress Defend protect organizations from advanced email attacks by using a combinations of technologies to analyze email content for the signs of business email compromise. Users are engaged at the point of risk, creating real-time teachable moments that empower them to understand why an email has been flagged as dangerous.