Business Email Compromise (BEC) continues to be a prevalent threat to businesses across all industries. Over the course of the past few years, BEC attacks have evolved to become much more targeted and manipulative, which has contributed to its growing popularity as an attack method.
In its infancy, BEC attacks focused primarily on bypassing Microsoft 365 multi-factor authentication (MFA), but now adversaries will often hi-jack legitimate email account via phishing or social engineering techniques to trick victims into diverting money to accounts under control of the fraudster.
According to new figures from the UK’s National Economic Crime Centre (NECC), reported BEC incidents have hit 4,600 cases over the past 12 months, costing individuals and businesses £138 million in losses, with the average case costing £30,000. A notable BEC attack earlier this year captured headlines when Europol dismantled a major Franco-Israeli cyber-crime group that employed BEC attacks to divert payments, with the perpetrators managing to steal over €38,000,000 within a couple of days.
According to the FBI, BEC has been the highest-earning cybercrime for the past two years. The frequency and high cost of BEC, emphasises the need for organisations to implement preventative strategies and measures across the board. All organisations are vulnerable to BEC, from government bodies to schools and non-profit organisations, everyone is a target.
The objective of each of BEC attack strategy is to initiate a non-standard business process by the finance, payroll, or human resources department. CEOs, executives, finance employees, HR managers, and new or entry-level employees are the roles that are typically most targeted by BEC scammers, as they have either the access and or authority needed to enable BEC strategies to succeed.
To mitigate against BEC attacks requires a good understanding of attacker strategies and how to defend against them. Below are some of the most common attack strategies and some best practices to stop BEC.
5 Top Business Email Compromise Attacker Strategies
Mailbox access strategy – to gain entry to the target’s email system, the threat actor attempts to compromise a legitimate internal email account. Once this access is acquired it’s easy for the attacker to sift through existing email threads to scope the information needed to initiate the fraud. Attackers can purchase the capabilities needed to carry out this form of attack from the wider cybercriminal eco-system, including phishing and remote access tools with Endpoint Detection and Response (EDR) bypass.
C-suite Impersonation strategy – threat actors either spoof or hack into a CEO or executive’s email account in order to research their target and determine how best to trick employees into making a purchase or send money via wire transfer to an account controlled by the attacker. Threat actors deploy per target capabilities, that mimic the target’s email systems to increase their chance of success.
Attorney Impersonation strategy – in this approach threat actors gain unauthorised access to an email account at a law firm. They will then email the firm’s clients a fraudulent invoice or link to make a payment online. The access to the firm’s database means the attacker can use this technique against several targets.
False invoice strategy – in this scam the attacker impersonates a legitimate vendor that the target organisation works with. They will email the vendor a fake bill that closely resembles a real one. They may provide an account number that is very similar to the real one or ask that the funds be transferred to a different bank, at the same time providing some plausible excuse for the change e.g. their bank is being audited.
Payroll redirection strategy – threat actors target employees without deploying any capabilities, they simply use a free public email service to request that the employee update their banking account and sort code.
Defensive Strategies Against Business Email Compromise
To defend against BEC, you must first assess the strength of relative finance, payroll, or human resources business processes. Many of these processes will be either dependent on emails or place reliance on the integrity of a third-party’s email system. Therefore, you should ensure that technical controls with the target policy configuration is mandatory for suppler management.
Ensure technical anti-phishing controls that are effective against BEC strategies are enabled across all your systems. Administrators can also strengthen security by enabling MFA across your entire organisation and make it mandatory for all employees. While MFA won’t stop all BEC strategies it can alert your team to any suspicious access with authentication or multiple attempts.
We recommend that you switch from emailed invoices to a secure system specifically designed to authenticate payments. In addition, you should train your employees to recognise the hallmarks of fraudulent payment requests and suspicious emails. Provide your staff with a way to escalate any concerns to your security team for review.