Why Business Email Compromise Is the Costliest Attack Vector (and What to Do About It)

The FBI is warning businesses about a growing threat to their confidential data—the Business Email Compromise (BEC) attack. This isn’t a new form of cyber assault, by any means, however, it is on the rise at an alarming rate. Whether this threat has just come onto your radar or you’ve been monitoring it for a while, there’s never been a better time to take preventative measures..

We’ve talked about BEC attacks here on the blog before, so today we’re going to offer a brief intro, followed by a more in-depth look at the BEC attack vector, why it’s proving so costly to so many organizations, and what you can do to protect your company from the financial losses associated with these attacks.

What Defines a Business Email Compromise Attack?

The FBI’s IC3 division (Internet Crime Complaint Center) defines a BEC attack as one where the scammer poses as an employee of the target company, often the CEO or other ranking executive (these attacks are also known as CEO Fraud attacks), in order to talk another employee into initiating a wire transfer into an account owned by the scammer, or changing the information on a legitimate transfer so that it goes to the hacker instead of the intended recipient. .

The attack has several distinct phases, starting with a network intrusion that allows the hacker access to your company’s internal systems, email history, company directory, etc. This phase is often achieved via malware attached to an email that gets past your filters. Once the attacker has the information they need, they begin phase 2, which consists largely of social engineering their way into the confidence of an employee with the authority to wire money from the company accounts.

The attacker will send an email to a select number of employees (finance and HR are likely targets), posing as an executive who needs a favor in order to close a deal, or a similar situation. They will ask for an emergency wire transfer to the included account so they can shore up the deal, or to appease an upset partner. Then, once the transfer is made the money is withdrawn and the fraudster disappears.

Another common method used is to pose as a rank and file employee who simply needs their direct deposit information changed. If the hacker is really sophisticated they’ll even be able to request a password reset for a user, giving them access to the employee’s real email account. The hacker will say they can’t find the form or something equally innocuous-sounding and request that the HR employee make the quick change for them. By the time the real employee notices that they didn’t get paid as expected, the attacker is long gone.

BEC attacks often take one of these 6 forms

  • Invoice fraud—In these attacks, the fraudster poses as a partner requesting payment for an “overdue” or otherwise delinquent invoice.
  • CEO fraud—In this scenario, the hacker poses as the company CEO (or another C-suite executive) and requests a test transfer to their “new” bank account. These attacks gain legitimacy by seeming completely reasonable, pretending to be time sensitive, etc.
  • Account compromise—Here, the fraudster poses as an executive at a partner organization to request a change to the account used for payment.
  • Attorney impersonation—Pretending to be a lawyer representing the company, the hacker informs the target of a new account to be used for remittance.
  • Data theft—Phishing attacks are launched from a spoofed account with the goal of stealing personal information on employees.

How Much Do BEC Attacks Cost Businesses Annually and Why Are They so Expensive?

The FBI recently released its statistics for 2019, and BEC now accounts for nearly half of all cyberattacks in the US. The total amount lost in just that one year came to an estimated 1.77 billion dollars, which averaged out to approximately $75,000 per attack. For comparison, the FBI’s records show that the average ransomware scam nets just $4,400 and phishing attacks a paltry $500 (though, of course, some high profile phishing successes can be much, much higher than this).

The FBI cyber crimes division has been focused on BEC attacks, which they often refer to as Email Account Compromise (EAC), since early 2017 when they first saw an alarming spike in their prevalence.

What makes BEC attacks so expensive and hard to trace?

The bottom line is that BEC attacks are easy to pull off, and they rely on basic human instincts to be successful. Because this attack vector relies so heavily on social engineering, it doesn’t require a high level of coding skill to score a payday. Instead, BEC plays on the old con artist standbydeception. Basic knowledge of where to find malware like keyloggers, and the ability to spoof an email address are the only hard skills required. Beyond that, the scammer needs good people skills and the time to adequately research their target.

Human instinct is to “go along to get along.” This means that if a middle manager in finance receives an email that appears to be from a legitimate internal email account, they’re unlikely to ask too many questions. And if that email seems to be from a high-ranking executive requesting an urgent wire transfer to shore up a deal the finance manager knows is legitimate, that lack of questioning can lead to a big payday for the scammer and a write-off of thousands of dollars for the company.

The same goes for someone in HR who gets a sympathetic email from a new employee asking for their direct deposit information to be changed. Using the alias of a known new hire, the scammer can play on the empathy of the HR employee to not ask questions and do as requested to make the new person feel welcome. Except that email wasn’t from the new employee, and the direct deposit will now line the pockets of a scammer.

All of this adds up to an attack that is often missed in its early stages due to holes in corporate networks and the stealthy nature of modern malware. This leaves the attacker free to research from within the network as long as they need to in order to learn as much as they want about their targets. Then, once they know who they’re going to impersonate and what their cover story is going to be, the actual BEC stage is often over within a matter of hours. To a large company, the loss of ~$75,000 can happen in an instant and not even be noticed for several days or more.

Making these attacks more difficult to stop is the fact that once the transfer takes place, the scammer withdraws the money, closes the account used, and vanishes. Bank transfers are notoriously difficult to trace to start out with, particularly when they cross international borders, as every country has its own set of rules and regulations. When you add all of these factors up, you get a costly and fast-moving attack.

What You Can Do to Limit BEC Attacks

As seemingly simple as these attacks are, they can be deceptively difficult to eliminate from the business end without the right tools. The tactics discussed here will serve to limit the likelihood of your company succumbing to an attack, or at best limit your losses. The number one recommendation we can make is to train your employees and give them clear guidance on what kinds of communications can come from the actual C-suite. If an email strikes them as in any way not legitimate, be sure they know who to raise a red flag with.

Step 1 is user training

As we just mentioned, the most impactful thing you can do to cut losses associated with BEC attacks is to ensure your employees are well-versed in what red flags to watch for. Teaching basic information security principles can go a long way to halting the intrusions that precede a BEC attack. Some red flags to cover include:

  • Verifying that the “reply-to” and “From” address match
  • Ensuring that the domain name is correct (one letter off can make all the difference)
  • If the tone doesn’t match the sender’s known tone or word choices, raise the alert
  • When in doubt, use another communication channel to verify that the sender is who they say they are

There are, of course, many more points to go over. This list is just a sample of the types of information you’ll want to be sure employees know in order to curb the intrusions caused by malware from entering your network. Intuition and empathy go a long way here, too. The bottom line is that if an email seems off in any way, the user should be comfortable following their gut instinct and bringing it to IT’s attention for investigation. That said, human error is part of running a business, and we all know that no amount of training can completely eliminate the possibility of an attack.

Ensure your network is locked down

Since the majority of BEC attacks begin with a basic malware intrusion, taking steps to lock down your network will go far toward keeping this phase of the attack from happening. Without the ability to learn about email history, in-progress deals, and so on, the scammer will move on to the next likely target. And how do you prevent malware intrusions? We’re glad you asked...

End-to-end email encryption is one of your best options

The only way to truly know that an email is from who it says it’s from is to use end-to-end email encryption. This eliminates the risk for BEC with company internal e-mails without false-positives. This also locks down the message in transit, eliminating a hacker’s ability to inject malware mid-stream. There are different systems out there, all relying on different encryption schemes and key management solutions. The most important thing to look for in the available solutions is the ability to ensure confidentiality, integrity, and authenticity in a way that even non-technical users can take advantage of.

How p≡p Can Help Stop BEC Attacks

Your priority in implementing an e2e email encryption solution should be making it as frictionless as possible for all of your employees to use. If the system you put in place requires advanced IT knowledge or relies on the employee to manage their own encryption keys, you’re leaving vectors open to attack since many will simply not use it.

This fact is what leads many companies to rely on anti-spam software (the kind that relies on blacklisting algorithms to filter out non-Kosher emails), but these often create so many false positives that users sometimes mistrust them. As such, what companies really need is a solution that can seamlessly automate trust on the individual level, all without interfering with spam filters or other protective measures that may already be in place.

The first thing to look for is automated key/trust management. p≡p can pre-deploy keys to all internal email accounts existing and new, that reside on your corporate email server (on-site or cloud-based). That grants these accounts secure & trusted status as soon as the client is installed on any new device. Users never have to think about or manage their own keysin fact, they don’t even have to know that they have them.

Part two in p≡p’s system is to automate identity management. After a brief exchange of five easy-to-remember trust words in the users’ native languages, p≡p enables you to establish trusted and secure communication channels with other encrypted email users. Messages are encrypted and decrypted automatically at endpoints, with even metadata remaining protected in transit, and there is no centralized authority eroding the security of your messages. Because the software is open source and based on reproducible builds, you can be sure that there are no hidden backdoors.

All of which is to say that p≡p makes privacy the default through seamless integration and use. Once installed on a user’s device, they will see a clear indicator light next to each message in their inbox:

  • No color — Unsecure: the message is either not encrypted or the encryption is sub-par
  • Yellow — Secure: the message is properly encrypted
  • Green — Secure & Trusted: the message is properly encrypted and from a trusted party
  • Red — Mistrusted: the message is flagged as troublesome for any number of reasons, and the red indicator let’s you know that it’s a cyberattack.

This system enables any employee to know, at a glance, if an email is from who it claims to be from, completely eliminating the possibility of a spoofed email getting through and causing havoc. Even in cases where the attacker is spoofing the address so it appears correct, since the encryption keys don’t match, it won’t get the green light.

Every correct e-mail from your CEO will be green, any fake e-mail impersonating your CEO will be highlighted in red.

BEC attacks are on the rise in the wake of the Coronavirus pandemic (according to the FBI). That means there has never been a better time to address any potential holes in your network security and broader information security. Blocking this vector can save your company time, money, and headaches by stopping attackers from gaining a foothold inside your network.




Contact Us for More Insights

Contact Us