The Rise of Business Email Compromise (BEC) Attacks
In today’s world, cyber-attacks impact businesses of every size and industry. At the forefront of these financially devastating attacks is a method intruders use called business email compromise (BEC). In May of 2022, the FBI published a public service announcement giving a detailed summary of victim filings from June 2016 – December 2021. Including domestic and international incidents, more than 241k attacks were reported, with an exposed dollar loss of over US$43 billion. The FBI 2021 Internet Crime Report published by the FBI’s Internet Crime Complaint Center (IC3) states that BEC is the top cyber threat and that the bureau has received over 19k complaints.
BEC attacks are sophisticated scams that target businesses and individuals through social engineering or phishing emails. These Bad-Actors have targeted small, mid, and large corporations across numerous industries in all 50 states and 177 countries. BEC threat actors continue to grow and evolve their techniques and are currently the biggest threat that security researchers don’t discuss.
BECs Rising Cost
BEC attacks are on the rise. Over the past seven years, BEC has been responsible for more financial losses in cybercrime than any other attack method. According to the FBI’s 2021 Internet Crime Report, 35% of all cybercrime losses were attributed to BEC attacks, and in 2022 the percentage will eclipse that number. BEC has accounted for US$2.4 billion in adjusted losses for businesses and consumers. The FBI’s report details how BEC losses exceeded US$43 billion between June 2016 and December 2021 for domestic and international incidents.
BEC vs. Ransomware
Over the last three years, organizations shifted their focus to ransomware due to the high-profile nature of the attacks. Attacks like JBS, Colonial Pipeline, and CNA Financial brought ransomware into the vernacular over the summer of 2021. Ransomware gangs like Conti, Revil, and Lockbit gained notoriety because of the vast amount of money their victims have paid. BreachQuest’s security analysts, in their ‘The Conti Leaks|Insight into a Ransomware Unicorn‘ found that Conti has received more than $50 Million just since September 2021 in ransom payments. According to IC3 reports, ransomware was reported by 3,729 victims. This is relatively insignificant compared to the number of BEC reports, 19,954 victims. Further, BEC caused victims to incur losses of $2.4 Billion. This amount of money is staggering and dwarfs that of ransomware payments.
Ransomware attacks are not going away. However, in 2022 it is believed that BEC attacks are on the rise and will surpass the 20k victim mark and top over $45B in losses. BEC impacts companies financially just as ransomware does. However, it differs in how the money is stolen. BEC involves simple hacking or spoofing of business and personal email accounts that request organizations to send wire payments to the threat actor’s bank accounts.
BEC’s Plan of Attack
At Breachquest, we have observed how BEC actors change tactics to deceive employees and executives. We have observed attacks on organizations in the financial sector that exhibit a wide complexity level. Most campaigns start with a simple phishing email. For example, an employee received an email stating that they had received a new voicemail from a phone number, directing the targeted user to “Refer to the attached”; the attached is a .htm file. The phishing link was observed to be hosted on a suspicious domain. Upon clicking, the page would be redirected to a different domain.
Once the phishing attempt was successful and the unauthorized access was granted, we observed several forwarding rules created. These rules would allow attackers to hide specific email communications, such as the victim’s bank, by redirecting them to the users’ RSS Feeds folder, which often goes unnoticed. The creation of forwarding rules allows attackers to intercept victims’ communications. Intercepting their communications opens the door to many more attacks as money, data, or identities are stolen. There have even been some cases of threat actors using “deep fake” audio to deceive their victims by acting as an executive.
BEC Audit & Proactive Monitoring
Breachquest is one of the only vendors that provide cloud-based protection to combat BEC and its associated threats. The Priori BEC module is an integrated cloud email security solution that uses advanced analytics to detect business email compromise attacks.
Priori’s API-based solution directly integrates with the Microsoft 365 cloud email platform to detect malicious activity. We help organizations gain visibility into attacks and provide actionable intelligence to speed up the organization’s investigations.
BEC PICES(Priori Integrated Cloud Email Security) Features:
- Threat Hunts of the last 90 days of Audit Logs
- Daily Hunts of Audit Logs to detect various BEC tactics
- Analyzes email sent and received message attributes with advanced analytics
- Identifies email fraud from compromised employees and vendors
- Automates threat detection and sends notifications to customers
- Collects forwarding rules from desired mailboxes
- Collects mailbox statistics and configuration
- Geolocation user login monitoring
- Mail traces any data from the last 90 days.
- Mailbox application identification access
- Automated report generation based on country whitelisting and compromised account timeframes.
BEC attacks are on the rise: Protect Yourself
Many BEC attacks begin with phishing emails as threat actors continue to innovate new tactics to circumvent protections and make money. There are some basic actions your organization can take to combat BEC. Using two-factor authentication to verify requests for changes on accounts, ensuring URLs in emails are associated with actual businesses, watching for misspellings like Micr0soft[.]com, and hovering over hyperlinks to verify the link, are simple and effective tools against BEC. Organizations should also audit and monitor their financial accounts to hunt for discrepancies.
Speed is the Answer
With BEC attacks on the rise, guarding against the menace is important. Fortunately, it is not complicated with the proper protection. The techniques used by these cyber criminals are well-understood and relatively simple. The weaknesses they exploit are simply organizations’ inability to detect and remediate at speed. Speed is a problem that can and has been addressed using an active protective product like PICES (Priori Integrated Cloud Email Security).
Meanwhile, as analysts, it is important that we keep up with the latest developments and techniques deployed by our adversaries. At Breachquest, we continually track threat actors’ ever-changing tactics, techniques, and procedures to understand their latest capabilities and methods. This ensures that we always provide customers with the best protection to keep them up and operational.