The Business Email Compromise (BEC) is a popular type of attack among cybercriminals as it targets businesses and individuals in an attempt to receive money transferred into fraudulent accounts. Typically, a BEC attack impersonates a trusted or familiar individual such as a senior employee, a contractor, or a partner to trick the victim into buying gift cards, diverting tax returns, or even transferring expensive items to the criminals behind the attack. A blog post published Tuesday by cyber threat intelligence provider Check Point Research reveals the latest trends in BEC attacks and offers advice on how organizations can combat them.
Annual losses from BEC campaigns hit $1.7 billion in 2019, according to the FBI’s 2019 Internet Crime Report. These types of attacks accounted for half of all cybercrime losses in the US last year, which made BEC the top cyberthreat for inflicting financial damage. BEC was also the leading reason for businesses filling cybercrime insurance claims in 2018, according to insurer AIG.
In the past, BEC campaigns usually spoofed the email accounts of CEOs and other high-ranking executives to ask employees to transfer funds to accounts held by the criminals. Over time, these attacks expanded to target customers, HR departments, suppliers, accountants, law firms, and even tax authorities. The goal is the same, but now attackers try to trick recipients into purchasing gift cards, diverting tax returns, and even transferring millions of dollars of hardware and other equipment into their ready hands.
SEE: Cybersecurity: Let’s get tactical (free PDF)
Like traditional phishing campaigns, BEC attacks often take advantage of topics in the news or those of interest to people. And these days, one of the main topics is naturally the coronavirus. COVID-19 related cyberattacks jumped by 30% during the first two weeks of May, many of which involved email scams. In several such incidents, government agencies and medical facilities looking to purchase equipment unknowingly transferred money to cybercriminals, eventually discovering that the equipment didn’t exist and that their money was gone.
Gift cards have become a common way for cybercriminals to grab money as they don’t require bank accounts or direct fund transfers. These cards can easily be sold online for around 70% of their initial value. Gift card scams are particularly popular around the holiday seasons, with criminals using cards for such retailers as Google Play, eBay, Target, and Walmart.
BEC campaigns typically use three different methods for impersonating legitimate accounts, according to Check Point.
- In one method, the attackers spoof the source’s email address, easily doable as the SMTP protocol offers no effective way to validate a sender. Criminals use dedicated or public SMTP servers to deploy emails with a spoofed address.
- In another method, the attackers use phishing, credential theft, or other means to gain control of the email accounts of the people they want to impersonate. They can then send emails from the actual account to lend legitimacy to the request for funds.
- In a third method, the attackers register and send email from a domain name similar to that of the actual domain they intend to spoof. For example, the registered domain may be xyz.co in contrast to the legitimate name of xyz.com.
In one example from 2019, a US defense contractor was tricked into sending items for a fake order worth over $10 million, including $3.2 million in sensitive communications interception equipment. The attacker used a phony purchase order with a fake Yahoo email address ending in “navy-mil.us.” The equipment was actually shipped and received, which fortunately led to the identity and arrest of the person behind the scam. But the attacker had the savvy to know which type of email account to set up, which officials to contact, how to design and write the purchase order, and which equipment to specify.
In another example, the attackers infiltrated and monitored the Microsoft 365 accounts of three financial firms. After creating lookalike domains for these firms and for their partners, accounts, and banks, the criminals diverted certain emails to these phony domains. Using this type of “man-in-the-middle” scheme, the groups behind the campaign managed to request and receive money transfers worth more than $1.3 million.
To help your organization and employees fight back against BEC attacks, Check Point offers the following tips:
- Protect your email traffic with at least one layer of an advanced email security solution from a known vendor. Niche players and open-source solutions might cause more harm than good.
- Protect mobile and endpoint browsing with advanced cyber security solutions, which prevent browsing to phishing web sites, whether known or unknown.
- Use two-factor authentication to verify any change to account information or wire instructions.
- Continuously educate your end users. Whenever irreversible actions such as money transfers are conducted, details of the transaction must be verified through additional methods such as voice communication and must not exclusively rely on information from email correspondence.
- Check the full email address on any message and be alert to hyperlinks that may contain misspellings of the actual domain name.
- Do not supply login credentials or personal information in response to a text or email.
- Regularly monitor financial accounts.
- Make sure you are using an email security solution that blocks sophisticated phishing attacks like BEC to prevent them from reaching employee mailboxes in the first place.