…for the criminals.
Forget ransomware, BEC is the threat you should probably fear most of all. Unlike ransomware, which locks victims out of their systems using a strong encryption tool, Business Email Compromise (BEC) uses far less obvious and more sophisticated mechanisms which makes them harder to detect and easier to fall victim to. The effort for criminals is higher but the ROI (to put it in business terms) is definitely worth it.
BEC = big business
Although organizations are only now becoming increasingly aware of BEC, this strategy has actually been generating income for cybercriminals for years now. Trend Micro researchers reported that, in 2016, attackers generated an average of $140,000 in losses per BEC attack. And evidence shows that this average has increased since then. In July 2018, the FBI’s Internet Crime Complaint Center reported a 136 percent rise in losses related to BEC attacks, specifically between December 2016 and May 2018. Overall, this means hackers have raked in a total of $12.5 billion in company BEC losses. This is $3 billion higher than the prediction Trend Micro researchers made in our Paradigm Shifts: Security Predictions for 2018 report.
What is BEC?
Traditionally, BEC takes the form of a scam in which hackers leverage legitimate-looking emails to generate wire transfers from enterprise victims. As Trend Micro researchers pointed out, these attacks can come in an array of different styles, including fraudulent invoices, attacks on the company CEO, account compromise or impersonation, and even traditional data theft.
Hackers don’t just craft a catch-all email with common language and hope it dupes their target. Instead, they take their time to complete sophisticated social engineering. Thanks to the considerable effort in time and energy, cybercriminals can create incredibly legitimate-looking emails that include targets’ names, and can even appear to be from others within the organization. An accountant may receive a fraudulent email request for a wire transfer from the company CEO, sent from a spoofed version of the CEO’s email address. Or a CEO may receive a reminder from an external vendor urging them to “finally settle this invoice”. The more realistic the email appears, the more likely that the accountant will send the funds or the CEO will transfer the requested sum.
Why is BEC so successful?
There are other factors contributing to the success of BEC. Firstly, even though lots of effort are put into it, the result is usually just a plain-looking mail. No links to potentially harmful sites or suspect attachments, and therefore less likely to be identified by either employee or anti-malware tools. Secondly, there is usually a sense of urgency included in the payment request. Terms such as ‘urgent’, ‘last reminder’ or the threat of legal consequences – for instance by impersonating representatives of a law firm – increase the likelihood of the victim coughing up the sum. Thirdly, the cybercriminals are gradually developing an entire playbook of scenarios and roles they can use to persuade the victims to cooperate.
Last but not least: once they have gained access and managed a first successful money transfer, there is no reason why they should stop there: they can easily send phishing or other BEC messages to others within the compromised account address book as long as they stay undetected. Hackers can even use victims as “money mules,” according to an FBI report. These are victims, recruited through romance or blackmail scams, that hackers use to open new accounts to leverage for BEC. While these accounts may only remain open for a short time, they provide additional, malicious opportunities for attackers.
What can you do?
Security experts don’t believe BEC attacks will diminish anytime in the near future. In addition to user awareness, enterprises should leverage advanced security solutions to prevent BEC intrusions. Technology from Trend Micro, which utilizes advanced strategies like artificial intelligence to detect email impersonators and machine learning to strengthen overall security, can be beneficial assets.