Around half of those that receive and are impersonated in Business Email Compromise (BEC) scams aren’t C-level or finance/HR employees, highlighting the importance of a company-wide policy to mitigate the threat, according to new research.
Security firm Barracuda Networks analyzed 3000 BEC campaigns to better understand where and how attackers are focusing their efforts.
Sometimes referred to as “CEO fraud,” the scams often work by impersonating a company boss — either by spoofing their email domain or phishing/cracking their account —and then trying to persuade a member of the finance team to make a large corporate fund transfer to a third-party account.
However, while CEOs accounted for the largest single role impersonated in the scams (43%), an even bigger proportion (48%) came from a long tail of other roles outside the C-level, finance and HR functions.
When it came to recipients, Barracuda Networks found that 54% also came from non-C-suite, finance or HR roles. The next most popular recipients were CFOs (17%) and finance/HR staff (17%).
“As you can see, almost half of the impersonated roles and more than half of targets are not of ‘sensitive’ positions, such as executives, finance or HR,” explained content security services vice-president, Asaf Cidon. “Therefore, simply protecting employees in sensitive departments is not sufficient to protect against BEC.”
The research also found that, although 40% of BEC emails contained a malicious link, the vast majority did not, making it harder for traditional security filters to spot them.
Some 47% requested a direct wire transfer, while 12% sought to establish a rapport with the recipient — presumably before requesting the transfer — and a further 12% were designed to steal personally identifiable information (PII).
Barracuda Networks recommended firms implement a combination of technology designed to combat spear-phishing, often the first stage in a BEC attack, and user education to improve awareness of scams.
Neil Larkins, CTO of Egress Software Technologies, added that AI tools can also be used to improve detection.
“By analyzing people’s email behavior, smart technology can now recognize patterns and highlight anomalies,” he said.
“In cases where a phishing email requires an individual to respond, they can be alerted to the fact they haven’t emailed this recipient before or that the recipient’s domain is not trusted — immediately raising red flags for the user in scenarios where cyber-criminals are leveraging established relationships.”