Business Email Compromise (BEC) is a more popular phenomenon now than it has ever been, and the numbers are growing year by year. In the 2020 IC3 Report released by the FBI, it was found that nearly 75% of organizations in the United States had experienced a successful phishing attack and that businesses lost an estimate of USD 4.2 Billion to phishing in 2020, only two years before 2018, that number was at $1.25 billion.
In 2021, the Identity Theft Research Center recorded that there had been a 68% increase in data compromises in the United States from the year 2020, setting a record number of compromises. Of the 1862 compromises in the US, 1613 were cyberattacks; and of that number, Phishing/Smishing/Business Email Compromises accounted for the largest number at 537 attacks followed far out by ransomware (321) and Malware (139). Researchers from the research center found that human error including failure to configure cloud security and correspondence through email/letter were amongst the two largest causes of these statistics, and the attacks occurred across nearly every industry, including Manufacturing, Financial Services, Government, Healthcare, and even Non-Profit sectors.
Still, the United States is far from being the only nation with a large number of attacks of this nature. In 2021, Brazil and France were the countries with the highest phishing attack rates amongst internet users globally at 12.39% and 12.21% respectively, followed by Portugal (11.4%) and Mongolia (10.98%), according to Statista.
IBM’s 2021 Cost of a Data Breach Report found BEC attacks to be the most expensive type of attack, costing businesses in various industries an average of $5.01 million. In the first quarter of 2022, 23.6% of phishing attacks that have occurred have been in the Finance sector — more than any other sector so far this year. In 2021, the FBI reported that an estimated $2.4 billion was lost by victims of BEC fraud, making up more than a third of cybercrime.
It is evident that Business Email Compromise attacks or BEC attacks can be extremely damaging to those who fall victim to the crime, costing organizations and individuals millions of dollars.
So how can you safeguard against these attacks? Awareness is the first step, and that is what this article seeks to bring about.
What is a Business Email Compromise Attack and how does it work?
A business email compromise attack is a type of social engineering that involves attackers impersonating certified organizations or individuals in order to gain access directly to money, private credentials, or personal data for various uses (usually to retrieve money). BEC attacks are currently the most prominent form of cybercrime, due to the fact that they are easy for attackers to initiate in mass, have a high success rate, but are still thoroughly effective.
While business email compromises and phishing attacks are similar and can overlap, according to IBM they differ in that phishing typically results in compromised systems or credentials through malware or ransomware, and BEC attacks result either in direct transfers of funds, or credentials/other personal data.
BECs can take different forms, the different techniques used in BEC attacks include:
- Domain and Email Spoofing: Domain spoofing involves the use of a false domain that resembles an existing and legitimate one, to pose as the original. In spoofing, attackers are able to control how communications such as emails appear to recipients on the “From” line. This means that the sender of the email may look legitimate, but further, the inspection would show that it is not. And in the case of spoofing emails requesting a response, instead of the email that may appear legitimate, the victim would be sending information to the attacker’s fraudulent address. A look at the “Reply to” section would show that the initial email is not in fact an actual address, but rather the title used to give that appearance.
- Lookalike Domains: Lookalike domains rely on visual deception to dupe victims. A quick glance would allow the domain to appear as accurate, however, there are more obvious differences that rely on the victims’ “lack of attention.” There may be details such as a letter missing, or an extra letter; there could be a letter that has been replaced with a number such as “1” instead of an “I” or “l”, or the letters I AND l used interchangeably. In its earlier days, a huge giveaway would be the use of a non .com domain name, however according to an annual report by Cofense, today .com domains account for 50% of credential phishing attacks.
- Compromised Accounts: Compromised accounts are highly efficient due to the fact that the accounts being used are legitimate, they are just being controlled by fraudsters. Compromised accounts are more difficult to obtain by hackers, however once obtained, they have a higher success rate.
What are the types of Business Email Compromise Attacks?
The FBI has categorized business email compromise attacks into five types:
- False Invoice Scams: In this type of attack, attackers pose as service or goods suppliers providing invoices that request payment. The attackers will usually impersonate existing suppliers/vendors used by the company, exploiting the fact that there will be records of other transfers and communication with the vendor as “proof”.
- CEO Fraud: CEO fraud involves the direct impersonation of an organization, and is usually directed towards employees, especially those in finance departments responsible for making payments and those who frequently manage transfers. In this scenario, the attackers will apply more pressure so as to make the employee feel anxious to meet the demands of an authoritative figure.
- Account Compromise: A compromised account is particularly effective as attackers have actually gained access to confidential information and the account of an organization, meaning they can fully take on the persona of a company employee until the organization becomes aware or the victim calls to confirm. However, due to the profiles they have access to, it can be difficult for victims to know they are being deceived.
- Attorney Impersonation: Attorney impersonation uses legal authority to dupe the employees into feeling as though they have a serious obligation to fulfill. The tactics used in this type of BEC attack rely on the victim’s need to comply with business regulations and formal requests. These attacks can be directed toward stakeholders, sometimes with the pressure that the company’s well-being rests in legal faith.
- Data Theft: This type of BEC attack is pursued with the end goal of obtaining confidential data, which can then be used for different purposes. The data acquired can then be used for ransom, it can be sold, or it can be used to secure valuable assets, and more.
Attackers have developed more sophisticated methods that involve collecting a large amount of data on their potential victims before pursuing them. In doing so, they appear well-informed on their victims to win over their trust. However, even less advanced, and more large-scale attacks work efficiently enough, and attackers who use the BEC-as-a-Service method rely on the confidence that even a small percentage of the large recipients of their attempts will follow through with their instructions.
Business Email Compromise Attacks and Phishing Emails
In 2021, Russian cybersecurity and anti-virus services provider Kaspersky found that their anti-phishing system had discovered and blocked over eleven million (11,260,643) phishing links throughout Southeast Asia in that year alone. A substantial part of this enormous number was attributed to the working from home shifts brought on by the COVID-19 pandemic as attackers saw the vulnerabilities in business and employee cybersecurity as an opportunity to attack. Of the eleven million, Vietnam held the largest number at four million, followed by Indonesia (2,290,502) and Malaysia (1,791,751).
Most of the emails were found to have been sent through emails, placing further emphasis on how attackers view emails as an effective way of initiating these attacks. Globally, Kaspersky had blocked more than 250 million links. The organization explained that attackers were crafting emails with subject lines that seemed legitimate and relevant instead of unrealistic and over-selling, reflecting how attackers have advanced in the methods they use to lure victims.
According to Charles Lim, the industry principal at Frost and Sullivan, Asia should expect to see a large rise in business email attacks, “As BECs are relatively easier to execute and [capable of evading] cyber defense tools better than other popular attack vectors, such as ransomware and APTs, they [have the potential to become] the main cyber threat in Asia.”
In 2019, one of Japan’s largest media groups Nikkei lost $29 million to a BEC swindle after an employee at the group was duped into believing the transfer was being requested by an executive of the company. The transfer request was made to the Nikkei headquarters to an employee who then unknowingly transferred the amount to a fraudulent account.
The attacks are not limited to enterprises, in 2020, the Puerto Rican government sent $2.6 million to a fake bank account, after the director of the country’s industrial development company director, Ruben Rivera, received an email requesting a bank account change. As a result, three employees tied to the source of the compromised account were suspended, and the FBI suspended public pension funds.
Statistics on Business Email Compromise Attacks
The FBI recorded a total loss of $43 billion between July 2016 and December 2021 as a result of business email compromise attacks. The attacks occurred not only in all fifty states in the US but also across 177 countries. They attributed the 65% increase to the virtual shift brought on by COVID-19, as attackers found ways to exploit virtual meetings and other communications.
According to the 2021 Internet Crime Report (IC3) released by the Federal Bureau of Investigation, they received 19,954 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints with adjusted losses at nearly $2.4 billion in 2021, with a victim count of 19,954. While variations of phishing as well as extortion, tech support, and investment crimes all had more victims than BEC attacks, the greatest monetary loss was seen through business email compromises. The exact figure was $2,395,953,296 in BEC/EAC losses, with the second and closest amount being in investments (such as Retirement funds, 401K, Ponzi schemes, Pyramid Schemes, etc.) at $1,455,943,193, a total difference of $94 million. FBI explained that attackers are not just targeting direct funds, but other data such as W-2 forms as well as cryptocurrency wallets, which attackers prefer due to the transaction speed as well as the difficulty in tracing. In 2021, IC3 received 34,202 complaints related to cryptocurrency with the total losses for the year exceeding $1.6 billion.
The report also highlighted that in 2021, Thailand, Hong Kong, and China were the largest recipients of funds from BEC transactions.
The 2021 IBM Data Breach Report found that when compared to public clouds, private clouds, and on-premise cloud models, hybrid clouds had the lowest average total cost of a data breach of the four cloud models at $3.61 million. As we evolve further towards cloud models, while we can fully acknowledge their benefits, it is important to equip them with protection. The data stored in clouds is valuable to businesses, making it a justified target for attackers. Sangfor HCI is equipped with disaster recovery, backups, and CDP to secure data.
The statistics above place further emphasis on the FBI’s encouragement towards organizations and citizens to be wary and arm themselves as heavily as possible with the cybersecurity tools and knowledge to fend from attacks.
How to protect against Business Email Compromise Attacks?
The first and most crucial step in understanding and potentially preventing a business email compromise attack is awareness. Since the cause is mainly rooted in human error, it is essential that employees and executives of businesses are well-informed on BEC attacks, what they are, how they work, as well as what to look out for. Training your organization on the nature of the attacks will keep them well-informed and prepared. Organizations can even simulate phishing emails to give employees a greater understanding of what they may look like. Furthermore, adding additional layers of verification as well as the reinforcement of compliance will guide employees even in situations where they are unaware.
However, many cybersecurity experts believe that every organization is bound to experience some form of BEC or another cyberattack in their lifetime, it is only a matter of when, and whether they will be adequately equipped to respond and recover. As such, for every other kind of cybercrime, businesses must equip themselves as best as they can with a strong cybersecurity strategy, as well as backup and recovery plans.
“Enterprises in the region should carefully look into holistic and in-depth cybersecurity technologies to beef up the security of their highly critical mail servers,”- Yeo Siang Tiong, general manager of Kaspersky Southeast Asia.
In the interview below by Cyber Defense Magazine and Sangfor Technologies, Guy Rosefelt, Sangfor Chief Product Officer, discusses how Sangfor Cyber Security solutions can assist organizations in protecting themselves through their digital transformation journeys. Guy talks to CDM about the rise in various cyber threats including APTs, and what approach businesses need to take in order to be prepared.
Sangfor Interview with Cyber Defense Magazine 2022
It becomes more apparent that BEC attacks are only one of the hundreds of thousands that organizations may face in the future. This means that the cybersecurity solutions that they use to protect their data and assets must be all-encompassing, and constantly developed to match the advancements in threats.
The first step in the Sangfor Anti-Ransomware solution involves the use of an AI analysis engine to detect and block malware and ransomware that may occur as a result of entry through phishing, web vulnerability, etc.
This is followed by Step 2: the detection and blocking of C&C communications.
Step 3: The killing of exploitation that may have occurred, and Step 4: The isolation of any damage that occurred to avoid propagation. This makes our Anti-Ransomware solution an effective anti-phishing mechanism.
Our Endpoint Secure is an endpoint security solution that can be integrated with Sangfor’s NGAF, IAG, and Cyber Command, to provide a full security system with complete coverage against malware for Ransomware Protection, and APT threats.
What can I do to stop Business Email Compromise Attacks?
- Personal and organizational awareness of what business email compromise attacks could look like is important
- Enforce compliance protocols to be followed as a standard, as well as the extra protocol in out-of-the-ordinary situations
- Make sure there are verification features both for employees to follow and to implement to authenticate users, as well as for users to follow when accessing their own personal information
- Make sure that not only your domain is safe, but inspect for impersonators/lookalikes/spoofing
- If a user is suspicious, directly contact your service provider to share your concerns
- Do not share any personal information such as pins, usernames, or verification codes. Most service providers disclaim that they will never request that information
- Make employees aware of what kind of requests they are allowed to fulfill and under what circumstances, and inform them on what steps to take should they receive demands that they are unsure of.
- Check-in with all members of the organization on how correspondence protocol is going to establish open communication and trust — this is not an investigation, simply an opportunity for them to express if they are finding it easy to enforce protocol, and where they might be room for improvement
- Avoid using free web-based emails, as these tend to be the most exposed
- Do not open any foreign emails; delete all spam
- Regularly inspect accounts for inconsistencies or unknown transactions
If you haven’t already been the unfortunate victim of a business email compromise attack, you might be. The last thing your organization needs is to suffer massive losses before taking action. Create awareness, and set up the right security defenses to combat attackers and protect your business. If you and your organization would like to consult a cybersecurity expert on investing in cybersecurity tools and solutions, or are simply interested in learning more about cyber protection, reach out to us to set up a consultation.