This spring, Australian authorities were able to arrest a cybercrime syndicate that had conducted BEC attacks on at least 15 individuals and organizations with stolen profits totaling $1.7 million (USD).
If those numbers seem shocking, they’re part of a growing upward trend of BEC attacks that shows no sign of slowing down. According to data collected by Arctic Wolf® Managed Detection and Response and Arctic Wolf Incident Response, BEC-related investigations doubled in the first half of 2023, a rising trend that began last year, when BEC cases rose 29% from 2021 to 2022. Overall, for 2023, BEC engagements accounted for 29.7% of all engagements made by Arctic Wolf Incident Response.
It’s clear that BEC is quickly becoming a top tactic for threat actors, and they have become increasingly adept at not only spoofing email addresses but taking over accounts altogether once they are compromised — all with the goal of tricking users and stealing funds.
While BEC attacks traditionally target financial institutions and users who have access to the purse strings — think a CEO suddenly emailing the CFO about a wire transfer — threat actors are branching out. According to a recent FBI advisory, cybercriminals are utilizing the tactic to steal food shipments valued at hundreds of thousands of dollars, and Arctic Wolf saw 63% more BEC attacks in the manufacturing industry than other verticals so far this year, highlighting how this tactic is being used across industries.
The fact is, BEC attacks are taking over the cybercrime landscape.
What is A BEC Attack?
A BEC attack occurs when a threat actor gains access to a business email account, and then uses that access to create a scam that results in financial gain. BEC attacks, most often, target internal employees (often those in the C-suite) that have access to financial accounts.
While financial gain is often the main goal of a BEC attack, the attack also creates valuable access for the cybercriminal to gain intel about an organization’s environment and potentially launch another attack or go after an organization connected to the original target.
According to FBI classification, there are five main types of BEC attacks. They include:
- CEO Fraud
Attackers will position themselves as the CEO or executive of a company. In this kind of attack, threat actors will typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker.
- Account Compromise
This occurs when an employee’s email account is hacked and is used to request payments to vendors.
- False-Invoice Scheme
In this instance, attackers will pose as a company supplier and request fund transfers to fraudulent accounts.
- Attorney Impersonation
In this attack, a cybercriminal will impersonate a lawyer or legal representative. Lower-level employees are commonly targeted through these types of BEC attacks.
- Data Theft
These attacks target HR employees to obtain personal or sensitive information about individuals within the company, such as CEOs and executives. This data can then be leveraged for future attacks such as phishing, fraud, or ransomware.
Business Email Compromise vs. Phishing
The attack types above may sound like phishing, but there is a key difference between phishing and BEC attacks. In a BEC attack, the email address used is legitimate. In phishing attacks, the email account belongs to the threat actor or is fraudulent.
However, both kinds of attacks do fall under the umbrella of social engineering, and it’s not uncommon for BEC attacks to use common phishing tactics (such as sounding urgent or using known information about the victim) to gain success.
BEC Attack Lifecycle
A BEC attack has four broad phases, similar to other kinds of cyber attacks: Preparation, execution, deception, and action.
To look at an attack with more detail, it would feature the following steps:
- A threat actor gains access to an organization’s email server or a specific user’s email account. This access is achieved through credential theft, credential harvesting, social engineering, or another tactic such as a vulnerability exploit or bypassing multi-factor authentication (MFA).
- The threat actor uses this access to gain intelligence about the user and the organization, often reading emails or other assets to see who they can target with the BEC scam.
- The scam is launched, with the threat actor utilizing the accessed email account as the primary vector. As mentioned above, examples include the threat actor posing as the user and requesting a transfer of funds, creating a fraudulent invoice, or asking for financial information or access to financial account.
See a timeline of a BEC attack and how Arctic Wolf defenses were able to stop it in its tracks.
Why Organizations Are Susceptible to BEC Attacks
There are multiple reasons why a threat actor may choose to target a specific organization, including but not limited to their industry, their financial state, previously harvested credentials or known access, their relationship to other organizations, or known cybersecurity flaws within the organization.
One of the reasons manufacturing is seeing a spike in BEC attacks is a combination of the above. These organizations often have varying degrees of cybersecurity, are more frequent targets of cybercriminals in general, and are often part of a supply chain. But a major reason cybercriminals may choose BEC as their attack vector is because the effort is low, and the payoff is high. Much simpler than ransomware with an end goal of fast financial gain, BEC is becoming a go-to in a threat actor’s toolbox.
In addition, BEC attacks can be difficult for organizations to detect. There’s no ransom note splayed across a desktop screen, the phishing email isn’t full of misspellings and other tell-tale signs, operations haven’t been disrupted, and depending on the scale, the attack may happen fast. Plus, the email account is legitimate.
Other reasons BEC attacks find success include:
- They occur through trusted email accounts
- Social engineering, the category BEC falls into, has a high success rate due to lack of user security awareness training
- BEC attacks don’t contain the same common indicators other attacks have such as payloads, firewalls intrusions, endpoint activity, or blacklisted URLs
- BEC attacks may use spoofed domains or assets to increase trust
This all makes BEC cybersecurity more complicated, and more pressing, but there are steps organizations can take to protect themselves.
How To Detect and Prevent Business Email Compromise
In the modern cyber threat landscape, protecting your organization against BEC attacks is multifaceted, and takes more than a single tool or a single focus to achieve. While every organization has different security and business goals, and are at different maturity levels, examining all of the following is the best defense against this common and costly attack.
- Utilize access controls such as MFA
Any BEC attack starts with access. While a threat actor may already have stolen credentials, or may gain access through credential harvesting, having software that can detect unusual access or behavior (such as identity and access management), as well as secondary controls such as MFA can stop the attack before it begins. According to the Arctic Wolf Labs 2023 Threats Report, 58% of organizations impacted by BEC attacks did not have MFA implemented, which could’ve made a major difference in the attack outcome. - Take an offensive, user-centric approach with security awareness training
Building a strong security awareness culture will help employees understand the kinds of risks they face in their inboxes, help them spot suspicious messages such as sudden invoices or requests to transfer funds, and help them become a strong line of defense against these growing attacks. - Employ monitoring software that digests data from the entire environment
A major issue in modern cybersecurity is that organizations rely on too many siloed tools. Because BEC attacks often evade traditional security tools, organizations need monitoring software that can ingest and correlate data from different parts of the environment, works with email providers, and can alert organizations quickly to unusual activity.
Explore how a security operations approach can transform your organization’s cyber defenses.
Take a deep dive into recent BEC data and how Arctic Wolf stopped an attack in the manufacturing sector.
