Ransomware and other malware incidents dominate the headlines in cybersecurity, yet a far less discussed threat, business email compromise (BEC), causes organizations the most significant financial losses. According to the FBI’s Internet Crime Complaint Center (IC3) 2021 Internet Crime Report, BEC attacks accounted for over $2.4bn worth of business losses in 2021. It’s 48-times higher than ransomware and one-third of all cybercrime losses reported to the FBI that year.
BEC, also known as email account compromise (EAC), refers to social engineering attacks that target individuals to trick them into sending critical information, usually financial, via email. Typically, the scammer spoofs corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments, using phishing techniques or other social engineering methods, and then persuades another employee to do such fraudulent transfers. While staff in finance are ideal targets, anyone in the business is susceptible to being compromised.
Moreover, BEC attacks have constantly been growing in the past few years. From $1.29bn in 2018, the BEC global losses jumped to $1.7bn in 2019 and $1.86bn in 2020. The FBI has recorded a 65% surge in monthly losses between July 2019 and December 2021. In the first quarter of 2022, BEC overtook ransomware as the top threat for the first time in security consultancy firm Kroll’s quarterly report.
“What makes BEC such an important threat is that it is a concern for everyone, from Google and Facebook to a tiny local football club or even an individual wanting to buy a house. If you’re transacting money, you could be the target of a BEC attack,” Adenike Cosgrove, VP of cybersecurity strategy at Proofpoint, tells Infosecurity. “People are concerned about nation-state threats, ransomware, or cryptocurrency mining attacks, but the reality is that the basics work. In most attacks, threat actors largely rely on the same techniques, from compromised credentials and user-activated malware to data theft from the dark web that is being shared, sold and recycled among cyber-criminals.”
Worse Than it Seems
The aforementioned data paints a bleak picture, but many cybersecurity professionals do not believe these statistics paint a full picture of the impact BEC attacks are having today.
The latest increase in BEC attacks “was fueled by the COVID-19 pandemic,” says Bharat Mistry, technical director at Trend Micro. “With many people working from home, it makes them easier targets than normal. When you see an email that you are unsure about, if you are in the office, you might ask your work colleague for a second opinion and decide not to respond,” he adds.
Josh Yavor, CISO at Tessian, a British security company, is convinced that “all the numbers we see are underreported.” Cosgrove agrees: “The IC3 claims some of its statistics are global, but how many companies report to the FBI outside of the US?” she asks. The same goes for cybersecurity vendors, Mistry argues: “We see the view from our telemetry, based on our solutions only. Globally, the figures could be much higher than we see.”
The reason BEC attacks are overlooked is twofold: on the one hand, the attackers are not usually outspoken about this type of hack, compared to ransomware attacks, and it makes it difficult for security researchers to deploy any forensics and for threat analysts to give any attribution; on the other hand, the stealthy nature of BEC and the impact on the targets’ finances and image mean that they, too, would rather keep quiet about falling victims to it.
“The most well-known hacking groups with fancy names mainly are geopolitically motivated, like hacktivists or nation-sponsored actors, whereas attackers who use BEC usually are from organized crime groups. They won’t display their names before they get prosecuted,” Yavor says. Also, the threat ecosystem gets increasingly sophisticated, with a quasi-Fordian division of labor. One actor typically crafts an attack, another does the social engineering work, and a third deploys it.
“Nowadays, the lines get blurrier as well. The criminals are increasingly collaborating, and different motives and attacks tend to overlap. What might start as a ‘simple’ BEC attack can turn into ransomware. These should no longer be treated as different problems,” warns Cosgrove.
"With more comprehensive threat data, a set of security tools improved with machine learning and behavioral analysis, and court cases, we now have a better idea of the BEC landscape than ever."Adenike Cosgrove, VP, Cybersecurity Strategy EMEA, Proofpoint
On the victims’ side, companies are also reluctant to disclose that they have been attacked. “First, they can have been targeted months or even years before the threat actors proceed with asking for a fraudulent transaction. Second, they also can realize they have been abused weeks or months later the transaction happened. While ransomware is very much in your face, BEC is by nature stealthy,” Mistry explains.
“While the victim of ransomware can say there is nothing they could have done, BEC involves the mistake of one person within the organization,” Andrew Hay, CISO of Lares, said at Infosecurity 's Online Summit on September 28, 2022. For all these reasons, experts generally agree that BEC attacks are rarely disclosed, and data on them is at least incomplete.
Cyber-Enabled Financial Fraud
Times are changing and slowly the perception of BEC is evolving, a positive for the battle against these types of attack.
“There are some indicators that things are changing,” Cosgrove says. “With more comprehensive threat data, a set of security tools improved with machine learning and behavioral analysis, and court cases, we now have a better idea of the BEC landscape than ever.”
“Lately, in court cases as well as on Twitter, some people have been starting to call BEC attacks ‘cyber-enabled financial fraud,’ and I think this new label shows the changes in perception of the problem. It demonstrates that finally, organizations recognize that what was once labeled as just a business problem that the CFO or a legal representative would deal with is now perceived as a security issue and that they need to bring the security team into this.”
While they usually require low-level hacking skills, BEC attacks are increasingly ingenious in the actors’ approaches to successfully trick someone into making fraudulent transactions. “They first use marketing techniques to identify who is responsible for what in the organization, basically working like a marketing agency,” Zaira Pirzada, advisor at Lionfish Tech Advisors, said during Infosecurity's Online Summit in September. Then, they can use various social engineering techniques to impersonate a high-level executive, an attorney or even a supplier to attack the individual identified.
Meanwhile, Yavor explains, “Some use the most basic schemes, using off-the-shelf toolkits, and others are very sophisticated, sometimes fully customizing an experience for a specific target and slowly building trust before attacking, for instance.”
Supply Chain Attacks
Another explanation for the rise of BEC is that they are increasingly multi-faceted. On top of phishing, BEC attackers now use other platforms such as SMS (‘smishing’), voice (‘vishing’) and social media to operate and sometimes combine several channels.
“A message sent via InMail, LinkedIn’s message service, gets four times more response than an email,” Jake Moore, global cybersecurity advisor at European security vendor ESET claimed at DTX Europe on October 13, 2022.
Along the same lines, the most successful recent BEC attacks are supply chain attacks, where the threat actor uses a weaker link, such as a supplier, a contractor, a maintainer or a minor partner, to get access to a big enterprise’s accounts. “There is an ongoing lawsuit in Virginia, where a threat actor is accused of spoofing a supplier and using their credentials to send emails to another organization and ask them to change their bank details. Almost half a million dollars was wired directly to the alleged criminal,” Proofpoint’s Cosgrove recollects.
"Whether BEC attacks can decrease in the future will not depend on new technologies, but on whether organizations deploy the ones that exist. Otherwise, BEC losses are going to keep rising."Josh Yavor, CISO, Tessian
With this complexification, BEC threat actors are no longer looking exclusively for financial data but any critical data – personal, organizational, or industrial data – that they can leverage to get money wired to them.
Innovative Training and Fraud Backtracking
CISOs are battling an enormous amount of threat actors attempting to compromise their organizations and individuals within the company. With BEC attacks, cybersecurity leaders must ensure they have the correct tools and training capabilities at hand to try and prevent attackers making financial claims against them.
“Statistically, today, BEC is the number one type of attack organizations need to defend against,” Yavor insists. To do so, the CISO’s number one piece of advice is to plan the proper training: “Rather than just telling your employees what a phishing email looks like, as we usually see in simulated phishing campaigns, a better way to raise awareness on BEC is to tell them what behaviors will never happen in their organization,” he says.
“In my last training session at Tessian, I told my collaborators: ‘No one from the leadership team will ever message you over SMS to ask you to buy a gift card,’ for instance.”
“It is also essential not to forget to put in place robust and reliable business and financial processes to allow for quick fraud backtracking,” Laurie Iacono, associate managing director for cyber risk at American consultancy Kroll, tells Infosecurity.
DMARC, SPF and DKIM
As for the technical measures that could be implemented to prevent BEC attacks, experts call for authentication tools like multi-factor authentication (MFA) and access controls, as well as essential email security tools such as domain checks, email filtering and alerts. Some email security solutions also utilize machine learning and/or natural language processing (NLP) to detect abnormal behaviors or uncommon language used by a specific sender, “but these tools only work as well as the sample size and the quality of the source material used to train them,” warned Hay during the September Online Summit.
More importantly, all security experts insisted on three free, standardized tools available for every organization, which, when combined, can significantly improve email security yet are still rarely implemented. These are:
- Domain-based Message Authentication, Reporting and Conformance (DMARC), an email authentication protocol designed to give email domain owners the ability to protect their domain from spoofing.
- Sender Policy Framework (SPF), an email authentication method which, alone, can only detect a forged sender claim, but combined with DMARC, can detect forged sender addresses during the delivery of the email.
- DomainKeys Identified Mail (DKIM), another protocol that allows an organization to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify.
“With these tools, you can achieve the ultimate goal when it comes to BEC: pushing the attackers to the margins, to personal Gmail accounts, for instance, where they will appear as less legitimate to request access to financial data,” highlights Proofpoint’s Cosgrove.
Yavor adds, “Whether BEC attacks can decrease in the future will not depend on new technologies, but on whether organizations deploy the ones that exist. Otherwise, BEC losses are going to keep rising.”
Clearly the fact that BEC attacks do not grab headlines like ransomware hacks, doesn’t mean they aren’t a huge threat to organizations today. Shining a light on this threat vector continues to be critical but organizations must also implement the right tools, technology and training in order to overcome this cyber-enabled form of financial fraud.
Staggering numbers
A consistent top threat:
- Top threat in 2022, with 65% of BEC attacks leading to security incidents
- 80% of organizations have experienced BEC attacks in 2022
- Top threat in 2021, with 19,954 BEC complaints reported to the FBI
A lucrative endeavor:
- $2.4bn losses to BEC in 2021 (1/3 of all cybercrime losses)
- 48-times more profitable than ransomware
- $43bn losses between 2016 and 2021
A surging market:
- +65% in losses to BEC between July 2019 and December 2021
- Expected to reach $3.3bn by 2028
- An expected rise of 19% CAGR between 2022 and 2028
Sources: FBI, Kroll, Osterman Research, ReportLinker