BEC campaigns represent a relatively small percentage of all email attacks yet pose the greatest financial risk, says Abnormal Security.
Cybercriminals like to use email to launch malicious campaigns as it’s the most direct method of reaching a potential victim. Phishing emails that spoof a well-known company or brand are a common type of attack. One less common but potentially more dangerous attack type is the Business Email Compromise (BEC). By impersonating a specific individual within an organization or a trusted external contact, a successful BEC attack can lead to huge financial losses for the injured party. A report released Wednesday by security provider Abnormal Security highlights some of the latest BEC campaigns.
SEE: Cybersecurity: Let’s get tactical (free PDF)
For its “Abnormal Quarterly BEC Report Q1 2020 report,” Abnormal Security found that BEC attacks have become more sophisticated. Attackers are taking time to plan their campaigns and have been moving their focus slightly away from impersonating C-suite executives toward spoofing employees working in finance and those who work as external vendors. BEC attacks that impersonate executives dropped 37% from the last quarter of 2019 to the first quarter of 2020 at the same time that attacks using financial employees rose by 87%.
Cybercriminals have also shifted somewhat the scope of their targets from individuals to groups. BEC campaigns directed against more than 10 individuals rose by 27% over the last quarter. Though this type of attack seems more generalized and therefore potentially less successful, hitting a larger group increases the odds that at least one person will fall for the scam.
As BEC attacks directed toward a single person decreased in the first quarter, campaigns using paycheck fraud also dropped as these are typically targeted at individuals. On the flip side, attacks using invoice fraud soared, with attackers impersonating vendors, suppliers, or customers.
In one real-world example, an attacker masquerading as the billing department of a vendor asked for an update to payment information. During a lengthy email exchange, the attacker convinced the target’s Accounts Payable team to change bank routing information from the valid bank to the bank used by the criminal.
Though BEC represents a small portion of all email attacks, it can cause the greatest financial damage; in 2019, BEC accounted for more than half of all cybercrime-related losses, according to the FBI.
To better defend your organization against Business Email Compromise, Ken Liao, vice president of cybersecurity strategy for Abnormal Security, offers the following tips:
- To protect against BEC attacks, it’s important to be extra careful with familiar sender names (e.g., executives or fellow employees) that originate from Gmail or other well-known general domains.
- You must also watch for out-of-domain impersonation techniques such as 1) swapping ‘i’ and ‘l’, 2) adding an ‘s’ to the end of a known domain (which will still look legitimate), 3) adding ‘int’ or ‘inc’ to the end of a known domain (which will still look legitimate).
- Finally, don’t let your guard down if you receive an email with an ask that seems low risk and low consequence. Slow and measured engagement by an attacker is a common technique and can often be the early stage of an attack.