By Andrew Milne, Field Effect
Business email compromise (BEC) is a low-cost, effective cyber crime tactic that has increased within the past few years. BEC puts any company that manages financial transfers and payments at risk.
Consider this, recent research shows that on average, more than 6,000 organizations were targeted by BEC emails each month from July 2018 to June 2019. Businesses also received an average of five BEC scams per month during this time period.
In fact, one study showed that cyber insurance claims from BEC attacks were actually higher than those from ransomware incidents (23% vs 18% of incidents in 2018). Additionally, the 2018 FBI Internet Crime Report found 20,373 complaints related to BEC.
Let’s look at why these types of inexpensive, low-effort attacks are on the rise and how your business can stay protected.
What is business email compromise?
Business email compromise is a social engineering scam, typically targeting a company’s financial and procurement departments, that attempts to initiate a financial transfer to an attacker-controlled account.
Tricks to obtain account credentials and facilitate this type of transfer include:
Invoice payment requests
- Attackers may use a legitimate or falsified invoice from one of your vendors or suppliers to request a payment to an account they control.
- Attackers may pose as your CEO (or another high-ranking executive) in order to request a payment to an account they control.
These types of tricks or lures are designed for credential harvesting, attempts to grab user IDs and passwords using a range of social engineering techniques. Spear phishing is often used in credential harvesting to gain access, sending emails specifically to an individual at a business or organization to trick the recipient into sharing sensitive information or taking an action through links to malicious websites or attachments.
Tactics to produce transfers and payments
Once an attacker has established access they will often search the account(s) for emails or data that could be repurposed to solicit a payment. The legitimate account(s) is then used to correspond with internal or external contacts in order to initiate a payment.
Here are a few tactics frequently used:
Inbox forwarding rules
- Attackers create rules that will forward all (or select emails) to an attacker-controlled account. Even if a password for the compromised account is changed, attackers can still maintain access to email content. For example, an attacker might create a rule to forward all emails with the subject “invoice” or with a specific sender address (e.g. the email address of a client of the compromised company). Attackers may also create rules to hide correspondence between the account and other victims (both internally and externally)
- Typo-squatting is the process of creating a domain that appears similar to the domain of a legitimate service or company (e.g. com). In spear phishing, attackers will often use these domains in conjunction with credential harvesting interfaces — fraudulent login pages used to collect credentials from unsuspecting users. With financial redirection attacks, attackers may use these domains to continue correspondence when access to a compromised account has been lost.
- Our Field Effect team analyzed one typo-squatted domain case where once a password had been changed on a victim account, the attacker registered a domain similar to the targeted company and then continued to solicit false payments from the client of the targeted company.
- Lateral movement refers to the techniques used by attackers to move between corporate assets during a compromise (e.g. workstations, accounts etc). In a BEC attack, an attacker will often use access to a legitimate account to compromise other accounts in an organization or move onto other clients.
- In several cases of lateral movement, our Field Effect analysis showed that an attacker would send spear phishing emails to colleagues and clients of a compromised employee to gain access to a department or individual (e.g. an employee in payroll or a procurement officer) or an entirely new target (e.g. a partnering organization of the original compromised employee). Attackers may also distribute malware to other victims on the network (if not already used in the initial exploitation).