Business Email Compromise B-E-C Attacks: The Most Dangerous Form of Email Scam
Business email compromise attacks will have you doubting any email you receive, whether it's from your co-worker or even the CEO of your company. Imagine this scenario: it's tax season, and you work in the HR department. Your CEO sends you an email requesting copies of employee W, 2S that include names, addresses, Social Security numbers, income data and tax information. With the sense of urgency that the tax season brings and a direct request from your CEO, what should you do? You wouldn't think much of it, most likely. It's not that unusual of a request, so you provide the needed information. Well, now that information is used by attackers to file fraudulent tax returns, or put up for sale on the dark web for future misuse by other cyber criminals. How did this happen? The email evaded your spam filters, the sender email looks identical to your CEO's and it even has their photo on the email account. This is a very common case of business email compromise, B-E-C attack. And they're on the rise. Now that they've been under scrutiny by the FBI for years, we have some frightening statistics on their advancements: In 2020, the FBI IC3 received nearly 20,000 complaints about B-E-C, with reported losses due to the attacks increasing to 1.86 billion dollars from 1.29 billion dollars in 2018. And with cybercriminals leveraging business email compromise to target businesses more and more over the past year, we'll take a look at what these attacks are, their different types, how you can spot their hard-to-detect threat, best practices for preventing them, and how you can stop them. What is a business email compromise? Business email compromise is a very damaging type of cyber crime in which cyber criminals impersonate the email account of an employee, executive or vendor of a company, for the purpose of requesting that the recipient (someone from the company) divulge sensitive information, make payments or even share information about their company's proprietary products or technology. Unlike the usual phishing campaigns with fake emails that are easy to spot, B-E-C attacks are highly targeted. This means they can fall under the spear phishing umbrella, with victims thoroughly researched to ensure they can make and authorize the payments, and that they have the sensitive information the attackers are after. Because they're so highly targeted and expressly use social engineering to carry out attacks, they're not easy for spam filters to detect and block. Attackers can also register lookalike domains that aren't on any block lists at the time of the attack, further helping them successfully evade detection. And with emails that often contain no links or attachments, only a written request, antivirus solutions can do very little about them, if anything at all. How B-E-C attacks work Because business email compromise leverages social engineering, cyber criminals don't need to use advanced tools or even need to be that technically proficient to execute them. B-E-C attacks usually start with reconnaissance that can span days or weeks, looking for information about their target organization and its employees, allowing attackers to carefully choose the victim as well as the person they'll impersonate. As mentioned before, victims are usually executives or employees who are authorized to make payments on behalf of the organization or have access to sensitive employee information, such as those in the HR department. Attackers can perform recon and use Osint by visiting websites, press releases, social media profiles and posts, LinkedIn, company partners, investors and the like, all to build a profile on their target organization and its personnel. Once attackers have enough information to select the appropriate victim and the "sender" they'll impersonate, they're ready to set up the attack. And in order to take on the sender's identity, to make the fateful request of payment or informational access, attackers can use various approaches. These...