Business Email Compromise BEC
What is business email compromise (BEC)?
BEC, also known as CEO impersonation, is defined as “a form of phishing attack where a cybercriminal impersonates an executive and attempts to get an employee, customer, or vendor to transfer funds or sensitive information to the phisher.” This threat is designed to trick the victim into thinking they received an email from what appears to be a trusted individual such as an organization leader like the CEO or CFO asking for some sort of money or classified employee information.
These are essentially very sophisticated phishing campaigns where outsiders can email their way into a corporate environment and use social engineering to gain access to money. These spoofed emails can be very hard for a layperson to detect. What has made this problem so acute is the fact that many people nowadays use their email as a filing system, leaving much of their important data in their folders and files, so the amount of data exposed to an intruder could be quite significant. The primary focus here is on monetary gain, so the cases we see typically involve people trying to gain access to large wire transfers—a worst case scenario might involve the loss of millions of dollars.
While monetary gain is a key aspect that Cytelligence observed in handling hundreds of such investigations, a new and interesting trend is beginning to emerge. Threat actors are beginning to employ additional tools, techniques and procedures (aka TTPs) to further increase their reach. The two additional techniques deployed are:
- Lateral movement between mailboxes
- Data theft and associated ransom demands
In the first instance, threat actors are being observed to not only engage in the typical wire-fraud activities i.e. “I am the CEO please wire fund to the following account” but also they are looking to convince contacts within the mailbox to provide their credentials so that they gain access to more mailboxes.
In the second instance, while a new trend, the threat actors are employing tools that download the entire mailbox (or synchronize) and its data to another system. The threat actors then demand a payment in order for them to delete the information. Certainly, there is never an assurance that threat actors will follow through on their promises, however, some organizations consider the cost associated with such activity as acceptable.
BEC is the fastest growing attack and insurance claim source in cyber security right now. Over the past year we’ve seen extraordinary growth in this area with the number of BEC incidents skyrocketing.
The key difference between responding properly and improperly to such events is all about timing and process. As the number of instances where large mailboxes are breached and their contents are downloaded, being able to disrupt the process early-on becomes critical. In addition, having the right logging and alerting, breach response procedures and additional controls such as Multi-Factor Authentication (MFA) can be the difference between an alert and millions in lost revenues and impact to the company brand.
Understand the threat
We’ve seen phishing emails work, and continues to work, because it exploits weaknesses in human psychology and organizational culture — even on matters of national culture.
Cybercriminals are now smart enough to target the right people in the organization: people with authorisation overpayments and their executive assistants. And they’re smart enough to try to get to their targets when they’re likely to be on their mobile device. In April 2019, the FBI reported that business losses to BEC scams had doubled in 2018 and the attacks are becoming more sophisticated. Cybercriminals scored $1.3 billion from US companies alone. Global losses hit $12.5 billion, the FBI reported.
In addition, based on statistics from over 250 investigations conducted in the last 12 months, Cytelligence noted the following:
- Average successful wire fraud amount: USD$266,802
- Largest wire fraud amount: USD$4,800,000
- % of incident where PII/PHI theft/impact was observed: %52.8
- Average BEC related ransom demands: USD$35,000 per mailbox
- Average investigation duration: 3 weeks
Because these threats rely on social engineering rather than malware, impostor emails can often evade security solutions that look for only malicious content or behaviour.
Tools used to target and exploit victims
Hackers who engage in BEC use a variety of techniques to target and exploit their victims. They include the following:
Spoofing: using an email address that looks like a legitimate email address and tricks the victim into thinking it came from someone it didn’t.
Spear phishing: using an email to target a specific individual in a company to obtain confidential information to be used in one of the BEC scenarios.
Malware: secretly installing malicious software on the victim’s computer to infiltrate a company’s network and gain access to confidential information to be used in the BEC scam.
Social engineering: using psychological manipulation to get targets to divulge confidential information that will later be used in BEC.
The Cytelligence Advantage
Responding to BEC incidents in an agile fashion is the single most effective tool an organization can have at its disposal. There are several complexities associated with this:
- How to recognize you have been attacked?
- Who to call?
Cytelligence offers a number of differentiating services to assist in managing the risks associated with BEC threats:
- Breach readiness assessment
- Evaluate whether the appropriate controls and capabilities are deployed
- BEC specific incident response retainers