Understanding Business Email Compromise Attacks
What is Business Email Compromise
Business Email Compromise (BEC) attacks are a cybersecurity attack that couples sophisticated social engineering and phishing emails with the intent of defrauding an organisation. The basic premise of the idea, the simple act of deception, is one that has been around for a long time. BEC attacks, however, are relatively new but are certainly a business threat that can’t be ignored. The combination of trust, authority, and familiarity is resulting in billion-dollar losses. The FBI has calculated, based on BEC attacks that it is aware of, that between October 2013 and May 2018, there has been $12.5 billion in global losses.
BEC attacks happen when emails are infiltrated using advanced methods relying on identity deception. BEC attacks often go undetected as they don’t use detectable payloads such as URLs or attachments. The attack takes place when a colleague or a trusted person is impersonated via email, and the recipient is asked to make a payment or share sensitive data. As the attack comes from a forged invoice, a compromised account of an actual employee, or a fake email address, it can look incredibly realistic.
How Are BEC Attacks Executed
BEC attacks happen when hackers manage to infiltrate the ranks of a business to a level that enables them to impersonate a trusted source. There are three main phases to a BEC attack:
- Business infiltration – cyber attackers launch BEC attacks by firstly carefully researching their victims. Attackers will use phishing techniques, potentially using frequently used websites, to harvest employee account credentials. This research phase allows hackers to gain an understanding of the organisation and its employees and gain access to its mail servers.
- Social engineering – this phase is about surveillance of the target, often top executives. Cyber attackers will research payment processes and vendors and will sift through previous emails. Scammers take weeks to analyse organisations to build up a profile of employees and interactions that can be mimicked.
- Impersonation – the attackers will craft legitimate looking email addresses to impersonate a trusted source be it a vendor, employee or a company’s CEO. Emails are often sent to junior staff and will demand wire transfers or sensitive data. The emails will typically be urgent and to make them look more legitimate will often include paperwork that has been found during the research phase.
There are three principal techniques that cyber hackers use to impersonate trusted sources, spoofing, look-alike domains and display name deception. Spoofing is the falsification of an email header including the sender’s name and email address as well as the formatting of the message itself to appear from a legitimate source. The attacker inserts these forged emails directly into the mail stream with forged delivery paths. Look-alike domains are deceptive-looking domains which are under the control of the hacker. These domains traditionally look like the domain of the impersonated organization. In a display name deception, the attacker uses a free webmail account and changes the display name to correspond to the impersonated individual or organization. Recent research from our partner, Agari, showed 82% of BEC attackers use display name deception to impersonate a trusted party, and without detection from secure email gateways.
What Is The Risk Of BEC Attacks To Businesses
Over the past few years, BEC attacks have become commonplace and are growing in frequency. In fact, although less extravagant than super-hacks we see in the media, BEC attacks present the highest number of victims and direct loses to businesses. Agari’s research found 96% of organisations analysed have received at least one BEC attack in the second half of 2017. Due to their relative simplicity and success rate, BEC attacks are a risk that will continue to escalate and so will the losses to businesses. BEC attacks do not discriminate based on industry, size or existing security and, as such, are a critical issue for all businesses, everywhere. Attacks can range from simple display name attacks to multi-level global organisations using a combination of techniques. Anyone can fall victim by merely following poor online security etiquette and performing fairly basic online transactions. In fact, small businesses are an easy target as one person is often responsible for multiple transactions and there are likely to be fewer security protocols. Combatting against BEC requires more than infrastructure and robust security, organizations need to be educated and the workforce security-aware.
Contact InfoTrust today on +61 2 9221 5555 to find out how we can help your organisation mature your security posture against these types of threats.
This is the first installment in our Business Email Compromise blog series, read our second post, “Stopping BEC Attacks Requires a Multi-Layered Approach” here.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help