Image: Vladimir Obradovic, Getty Images/iStockphoto

Cybercriminals like to use email to launch malicious campaigns as it’s the most direct method of reaching a potential victim. Phishing emails that spoof a well-known company or brand are a common type of attack. One less common but potentially more dangerous attack type is the Business Email Compromise (BEC). By impersonating a specific individual within an organization or a trusted external contact, a successful BEC attack can lead to huge financial losses for the injured party. A report released Wednesday by security provider Abnormal Security highlights some of the latest BEC campaigns.

SEE: Cybersecurity: Let’s get tactical (free PDF)

For its “Abnormal Quarterly BEC Report Q1 2020 report,” Abnormal Security found that BEC attacks have become more sophisticated. Attackers are taking time to plan their campaigns and have been moving their focus slightly away from impersonating C-suite executives toward spoofing employees working in finance and those who work as external vendors. BEC attacks that impersonate executives dropped 37% from the last quarter of 2019 to the first quarter of 2020 at the same time that attacks using financial employees rose by 87%.

Cybercriminals have also shifted somewhat the scope of their targets from individuals to groups. BEC campaigns directed against more than 10 individuals rose by 27% over the last quarter. Though this type of attack seems more generalized and therefore potentially less successful, hitting a larger group increases the odds that at least one person will fall for the scam.

As BEC attacks directed toward a single person decreased in the first quarter, campaigns using paycheck fraud also dropped as these are typically targeted at individuals. On the flip side, attacks using invoice fraud soared, with attackers impersonating vendors, suppliers, or customers.

In one real-world example, an attacker masquerading as the billing department of a vendor asked for an update to payment information. During a lengthy email exchange, the attacker convinced the target’s Accounts Payable team to change bank routing information from the valid bank to the bank used by the criminal.

Though BEC represents a small portion of all email attacks, it can cause the greatest financial damage; in 2019, BEC accounted for more than half of all cybercrime-related losses, according to the FBI.

“It’s interesting to note the cybercriminals are always going after the money,” James McQuiggan, security awareness advocate at KnowBe4, told TechRepublic. “Reducing their attacks against the C-suite demonstrates they see who is controlling the purse strings for an organization. By setting themselves up in the email servers and monitoring email traffic, the cybercriminals can see the communications back and forth regarding decision making for the finances and then target the comptroller or their team to get them to redirect funds.”

“With third-party organizations and supply chains, it’s crucial to handle all financial transactions securely,” McQuiggan added. “However, the cybercriminals are monitoring the emails and can see when the invoices are submitted. That’s their opportunity to socially engineer the finance team to change the account information and bypass any checks to get the money sent to their account instead of the proper organization. This action becomes a massive loss for the victim organization because they still need to pay the invoice to the third party, and most of the time are unable to recover the lost funds.”

To better defend your organization against Business Email Compromise, Ken Liao, vice president of cybersecurity strategy for Abnormal Security, offers the following tips:

  • To protect against BEC attacks, it’s important to be extra careful with familiar sender names (e.g., executives or fellow employees) that originate from Gmail or other well-known general domains.
  • You must also watch for out-of-domain impersonation techniques such as 1) swapping ‘i’ and ‘l’, 2) adding an ‘s’ to the end of a known domain (which will still look legitimate), 3) adding ‘int’ or ‘inc’ to the end of a known domain (which will still look legitimate).
  • Finally, don’t let your guard down if you receive an email with an ask that seems low risk and low consequence. Slow and measured engagement by an attacker is a common technique and can often be the early stage of an attack.