In 2023, the FBI’s Internet Crime Complaint Center (IC3) received 21,489 BEC complaints with adjusted losses over $2.9 billion USD, according to their 2023 Internet Crime Report. By way of comparison, ransomware, the cyber attack that grabs all the headlines and keeps IT and security teams up at night, accounted for only 2,825 complaints, with adjusted losses of less than $60 million USD.
If those numbers seem shocking, they’re part of a growing upward trend of BEC attacks that shows no sign of slowing down. According to a recent survey of 1,000 global IT and security leaders conducted by Arctic Wolf®, 70% of organisations reported being targeted by BEC attacks in the past 12 months. Of those, only 30% were able to thwart the attack.
It’s clear that BEC is quickly becoming a top tactic for threat actors, and they have become increasingly adept at not only spoofing email addresses but taking over accounts altogether once they are compromised — all with the goal of tricking users and stealing funds.
While BEC attacks traditionally target financial institutions and users who have access to the purse strings — think a CEO suddenly emailing the CFO about a wire transfer or a salesperson requiring the urgent purchase of gift cards — threat actors are branching out, utilising the latest tools and technology available to them to strike manufacturers, schools, and more.
Artificial Intelligence (AI), for example, is helping threat actors eliminate one of the most reliable indicators of a BEC attack; templated emails filled with spelling and grammatical errors. AI can quickly generate customised, error-free email communications that will stand a much better chance of slipping past security safeguards and fooling your employees.
The fact is, BEC attacks are taking over the cybercrime landscape. To be proactively prepared to defend against them, you’ll need to arm yourself with the latest information and insights into BEC tactics and trends.
What is A BEC Attack?
A BEC attack occurs when a threat actor gains access to a business email account, and then uses that access to create a scam that results in financial gain. BEC attacks, most often, target internal employees (often those in the C-suite) that have access to financial accounts.
While financial gain is often the main goal of a BEC attack, the attack also creates valuable access for the cybercriminal to gain intel about an organisation’s environment and potentially launch another attack or go after a third-party organisation connected to the original target.
While BEC comes in many forms, some of which overlap, six major types make up the vast majority of incidents.
1. CEO/Executive Fraud
Attackers will position themselves as the CEO or executive of a company. In this kind of attack, threat actors will typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker, or another employee requesting the urgent purchase of gift cards.
2. Account Compromise
This occurs when an employee’s email account is hacked and is used to request payments to vendors. This type of BEC attack remains popular for the financial gains it can provide threat actors. In one recent case, the Homeland Security Investigations (HSI) Baltimore, U.S. Department of State’s Diplomatic Security Service in Washington, D.C., and Baltimore Police Department were able to arrest and convict a cybercriminal who had stolen over $1.5 million USD through a series of BEC scams.
3. False-Invoice Scheme
In this instance, attackers will pose as a company supplier and request fund transfers to fraudulent accounts. Some cybercriminals invert the attack, posing instead as a company submitting or requesting a bid. For example, in March, Bleeping Computer reported that threat actors were using BEC attacks to pose as government entities like the U.S. Department of Transportation, the U.S. Department of Agriculture (USDA), and the U.S. Small Business Administration (SBA) inviting targets to click a link to being the bidding process. These pdf attachments include QR codes which lead to spoofed, official-looking phishing websites.
4. Attorney Impersonation
In this attack, a cybercriminal will impersonate a lawyer or legal representative. Lower-level employees are commonly targeted through these types of BEC attacks. In one recent example, a Paris real estate developer was targeted by threat actors impersonating lawyers of an established French accounting firm, requesting the urgent, immediate transfer of a large sum of money. Over a matter of days, they were able to steal nearly €38 million.
5. Data Theft
These attacks target HR employees to obtain personal or sensitive information about individuals within the company, such as CEOs and executives. This data can then be leveraged for future attacks such as phishing, fraud, or ransomware.
6. Product Theft
A relatively new twist — highlighted by the FBI in March 2023— in which an attacker imitating a customer tricks an organisation into selling (and shipping) a large quantity of product on credit.
Business Email Compromise vs. Phishing
The attack types above may sound like phishing, but there is a key difference between phishing and BEC attacks. In a BEC attack, the email address used is legitimate. In phishing attacks, the email account belongs to the threat actor or is fraudulent.
However, both kinds of attacks do fall under the umbrella of social engineering, and it’s not uncommon for BEC attacks to use common phishing tactics (such as sounding urgent or using known information about the victim) to steal credentials and gain access to the legitimate business email account.
BEC Attack Lifecycle
A BEC attack has four broad phases, similar to other kinds of cyber attacks: Preparation, execution, deception, and action.
Preparation
A threat actor uses credential theft, credential harvesting, social engineering, or another tactic such as a vulnerability exploit or bypassing multi-factor authentication (MFA) to steal valid credentials for a business email account.
Execution
A threat actor gains access to an organisation’s email server or a specific user’s email account using these harvested credentials.
Deception
The scam is launched, with the threat actor utilising the accessed email account as the primary vector.
Action
The threat actor, posing as the user, requests a transfer of funds, creates a fraudulent invoice, or asks for financial information or access to financial account.
See a timeline of a BEC attack and how Arctic Wolf defences were able to stop it in its tracks.
Why Organisations Are Susceptible to BEC Attacks
There are multiple reasons why a threat actor may choose to target a specific organisation, including but not limited to their industry, their financial state, previously harvested credentials or known access, their relationship to other organisations, or known cybersecurity flaws within the organisation.
One of the reasons manufacturing is seeing a spike in BEC attacks is a combination of the above. These organisations often have varying degrees of cybersecurity, are more frequent targets of cybercriminals in general, and are often part of a supply chain. But a major reason cybercriminals may choose BEC as their attack vector is because the effort is low, and the payoff is high.
In addition, BEC attacks can be difficult for organisations to detect. There’s no ransom note splayed across a desktop screen, systems haven’t been locked out, operations haven’t been disrupted and, depending on the scale, the attack happens very fast. Plus, the email account is legitimate.
Other reasons BEC attacks find success include:
- They occur through trusted email accounts
- Social engineering, including BEC attacks, have a high success rate due to lack of user security awareness training
- BEC attacks don’t contain the same common indicators other attacks have such as payloads, firewalls intrusions, endpoint activity, or blacklisted URLs
- BEC attacks may use spoofed domains or assets to increase trust
This all makes BEC cybersecurity more complicated, and more pressing, but there are steps organisations can take to protect themselves.
How To Detect and Prevent Business Email Compromise
In the modern cyber threat landscape, protecting your organisation against BEC attacks is multifaceted, and takes more than a single tool or a single focus to achieve. While every organisation has different security and business goals, and are at different maturity levels, implementing the following steps is the best defense against this common and costly attack.
1. Utilise access controls such as MFA
Any BEC attack starts with access. While a threat actor may already have stolen credentials, or may gain access through credential harvesting, having software that can detect unusual access or behaviour (such as identity and access management), as well as secondary controls such as MFA can stop the attack before it begins.
2. Take an offensive, user-centric approach with security awareness training
Building a strong security awareness culture will help employees understand the kinds of risks they face in their inboxes, help them spot suspicious messages such as sudden invoices or requests to transfer funds, and help them become a strong line of defense against these growing attacks.
3. Employ monitoring software that digests data from the entire environment
A major issue in modern cybersecurity is that organisations rely on too many siloed tools. Because BEC attacks often evade traditional security tools, organisations need monitoring software that can ingest and correlate data from different parts of the environment, works with email providers, and can alert organisations quickly to unusual activity.
Learn how Arctic Wolf stopped a BEC attack in the manufacturing sector.
Discover the threats organisations need to be prepared to defend against in the Arctic Wolf Labs 2024 Threat Report.
Watch how the Arctic Wolf® Platform can stop business email compromise attacks.
