Andy Baldin, VP EMEA – Ivanti, focuses on how best to defend against business email compromise as malicious actors learn to skirt traditional cybersecurity defences and make their messages increasingly convincing.
Research shows that Business Email Compromise (BEC) is still a critical threat to businesses around the globe – in fact Verizon’s 2019 Data Breach Investigations Report (DBIR) highlighted that executives are six times more likely to be a target of a social engineering attack in comparison to the previous year, and c-level executive are 12 times more likely to be targeted.
For these types of attacks, cybercriminals use social engineering tactics, often in combination with specific and sensitive information gathered via malware and hacking campaigns, to successfully impersonate a high-level employee or third-party partner.
Also known as CEO fraud, whaling, email spoofing and a host of other monikers, BEC is clearly emerging as a major enterprise cyber-risk. Verizon’s report also found BEC attacks accounted for 370 incidents or 248 confirmed breaches of the incidents analysed and other industry research states that it cost global organisations nearly US$1.3bn (£1bn) last year.
The bad news is that the fraudsters behind it are continuing to innovate and scale their operations to maximise ROI. A combination of people, process and technology is the best response.
What is BEC?
BEC is in essence a very modern version of an age-old confidence trick. Most commonly, a malicious third party poses as a senior executive, CFO or CEO and tries to trick a member of the finance team into making a large fund transfer to a third-party bank account under their control. On paper these emails should be easy to spot. But the anonymity of the Internet and the reality of day-to-day operations inside many companies allow the scammer to improve their chances of success.
Classic social engineering techniques help to create a sense of urgency, the idea being to force the recipient into carrying out instructions without thinking too much about the repercussions. There are several variations on this theme. Some send emails spoofed not from the c-level but instead from foreign suppliers with fraudulent invoices that need paying or from the corporate law firm.
In some cases, executive accounts are hijacked by hackers via phishing attacks or credential stuffing and then used to carry out the same scams. However, this time it’s even harder to spot the malicious intent as there are no tell-tale signs of spoofing. Sometimes HR or finance staff are targeted directly to harvest employee information designed to make future attacks more convincing.
A billion-dollar problem
According to the FBI, BEC losses accounted for nearly half of the US$2.7bn (£2bn) linked to reported cyberattacks in 2018; more than any other cybercrime category. That’s despite the number of victims (20,373) being relatively low. Separate figures claim a 133% increase in BEC incidents, while over half (53%) of respondents to a Lloyds Bank survey last year claimed they’d spotted fraudsters posing as their boss. The lender estimates around 500,000 UK SMEs have been hit, with 7% claiming they’d experienced financial losses and 6% saying they had to make staff redundant as a result.
In fact, BEC is a threat to big-name brands, SMEs and everyone in between. Fraudsters made €19m (£16m) from film company Pathé and €50m (£43m) from Austrian aerospace firm FACC, both resulting in not just monetary loss but the firing of the firm’s respective CEOs. Most recently, Google (US$99m, £77m) and Facebook (US$23m, £18m) were defrauded huge sums by a single scammer who recently pleaded guilty in a US court.
Scammers get smart
If tech giants like these, and their digital-savvy employees, can be caught out, then so can the vast majority of businesses. The scammer that targeted Google and Facebook went to great lengths to trick the victim organisations and stay hidden from investigators, opening bank accounts in the name of a supplier company before sending fake invoices demanding payment. He’s even said to have forged their corporate stamps on fake contracts and letters to deceive the banks the funds were wired to.
In another sign of the growing professionalisation of BEC campaigns, one firm last year revealed the existence of a new organised crime group which used commercial lead generation services to identify 50,000 executives to target, 71% of whom were CFOs. The sophisticated ‘London Blue’ operation is an international outfit in which each member has a specific role, from lead gen to customising emails, receiving and laundering funds, and recruitment of money mules. Most recently, a new target list of 8,500 execs in Asia and the US was uncovered.
It’s not just email channels that IT security teams need to be monitoring. In another relatively new tactic, scammers try to transfer the victims to mobile platforms as soon as possible. The instantaneous communication of SMS or IM makes it harder for the victim to stop and think about what’s happening to them. This is a particularly useful method for gift card scams in which the victim is tricked into buying a set of gift cards on behalf of the ‘CEO’ or similar. After purchasing, they’re told to scratch the backs off to reveal the redemption codes, take a photo and send immediately. These codes are then monetised online.
Tackling the threat
There’s no single silver bullet solution to the growing threat of BEC to corporate reputation and the bottom line. However, by focusing on cybersecurity best practices combining technology controls and user awareness, organisations have a great chance of mitigating risk to acceptable levels.
Employee training is obviously key: programmes should be centred around real-life simulations run in short 15-minute lessons to maximise impact. And it’s crucial to include not just regular employees but suppliers, partners, temps and part-timers, as well as executives. Also important is to analyse the results and feedback to individuals on where they’re failing, thereby creating awareness of what’s happening and where they need to improve.
Enhance these programmes with technology controls and improved business processes. For example, any payment requests should require sign off by at least two people in the organisation. On the technology side, it gets trickier as there’s no malware attachment or malicious link to scan for in a BEC email. Instead, you need email security tools that scan for spoofed domains as well as tell-tale keywords in the message body and From/Reply-to headers.
There are further best practice security controls you can put in place to prevent accounts from being hijacked and used to send BEC emails. These include multi-factor authentication (MFA), privileged account management (PAM) and advanced anti-phishing controls.
BEC is ultimately just one of a large number of diverse threats facing modern organisations. As such, these controls should be considered as part of a wider defence-in-depth approach covering a range of best practice steps from app control to automated patch and asset management. The endpoint is the new frontline in the battle against cybercriminals, so it is here that efforts should be focused in the first instance.
Click below to share this article
