The Evolving Tactics of BEC Attacks
When emails started landing in inboxes asking recipients to execute a wire transfer in 2015, little did the information security community know how large of a threat this attack type would become. This tactic doesn’t include any links or attachments, just an email request to engage in a conversation, while impersonating an executive of the organization.
The FBI soon coined the term Business Email Compromise, or BEC. In some regions, this is also known as CEO fraud. As a security awareness professional, I feel strongly that this threat isn’t a security problem, it’s a business process problem.
In the early days of BEC, researchers banded together within the financial sector to go after this threat. Collectively, they were able to engage with the threat actors to tease out loads of bank accounts they were using to move their funds. Researchers were able to work with their internal teams to seize these accounts. Why? Process. They had a process and fraud controls to lean into to make an impact—and in many cases stop the funds from leaving the victims account.
But just as we see in any other types of crime, threat actors learned to pivot. Once they hit the speedbump of the financial system’s fraud controls, it was time to shift.
One example of how criminals have shifted include the increase in popularity of bitcoin. The initial attack email started asking recipients to send funds to a cryptocurrency wallet. But that didn’t last long either, as secure email gateways (SEG) added the capability to look for key words and spoofed email addresses.
To avoid detection or alerting the recipient, criminals again shifted their approach to present their initial attack email as more or less a conversation starter with a simple ask: “Do you have a minute?” or “I’m in a meeting and need a quick favor.” Within a few short interactions, sometimes taking the conversation to a text message, the threat actor now makes the move to ask for an action. This tactic is alive and well today, and often involves a request for gift cards.
While gift cards are commonly used to pad the wallets of threat actors, these criminals have also learned how various processes within an organization work to further gain access to larger funds. Some of these include requesting a direct deposit account to be updated or asking for an Accounts Receivable register that allows them to spoof payees to intercept the funds.
Each year the Internet Crimes (IC3) publishes reported BEC losses, and each year this number continues to explode—reported at $43 billion in losses for 2021, a drastic increase from $1.8 billion in 2020. So, if threat actors are constantly evolving their tactics, how can organizations protect against this threat?
Start with your teams that handle financial transactions or who are in the money workflow that exists within your company. Ensure they have processes in place to validate how bank accounts are changed, who should be able to receive financial reports, and validation for sending funds.
To cut losses with gift card scams, ask your CEO and senior leadership teams to tell your users directly: “I will never ask you via email or text to send me gift cards.” Record a video of them giving this message. And don’t forget about your new hires; show them a recording of this during their onboarding, as they may be targeted to impress the boss.
When the right business processes are in place, BEC tactics will be far less successful.
Having joined the company in 2018, Tonia Dudley is VP, CISO, at Cofense, where she leverages more than 15 years of cybersecurity experience to provide organizations with up-to-date information on the various threats and security vulnerabilities that they may face related to their email security. Dudley also represents Cofense on the Board of Directors for the National Cyber Security Alliance, where she works closely with organizations to promote information security best practices and education around the world.
© Tonia Dudley, VP, CISO at Cofense Inc.