The compromise of email addresses, or Business Email Compromise (BEC), is a popular attack aimed at compromising a company's mailbox for malicious purposes. The simplest monetization is generally to request a fund transfer from the corrupted address or a change in payment details for upcoming invoices.
Ransomware, one of the most publicized topics, accounts for only 1% of financial losses in cybercrime, said Crane Hassold, Senior Director of Threat Research at Agari. In comparison, BEC attacks accounted for 37% of losses over the past year. This data comes from attacks reported to the FBI via the Internet Crime Complaint Center in 2020 (IC3).
In a "State of the Phish" report conducted by Proofpoint, experts estimated that 65% of organizations faced a BEC-type attack in 2020.
According to the FBI's Internet Crime Complaint Center (IC3) report, the total cost of such attacks is equivalent to more than 26 billion dollars between June 2016 and July 2019.
The study indicates a 100% increase in global losses related to BEC attacks between May 2018 and July 2019. Additionally, the FBI recorded 166,349 domestic and international complaints.
The Different Types of BEC Attacks
BEC scams are not all the same; there are five types of attacks:
- Data theft: The HR or accounting department is targeted to obtain personal information about the company's employees. This data will then be used for future attacks or sold.
- Fake invoices: From the compromised mailbox, hackers contact the company's clients and request payment of unpaid invoices through a bank transfer to an account they control.
- CEO fraud: Financial service employees or those with rights to issue transfers are solicited by the hacked account of the CEO or an authoritative figure in the company to make an irregular transfer.
- Supply chain attack: For instance, by impersonating a lawyer. From a law firm's BEC, the hacker contacts an employee, claiming to be in charge of confidential files. The victim generally lacks the necessary knowledge to contradict the "lawyer" and provides data that can be exploited or sold.
- Account compromise: Hackers gain illegal access to an employee's mailbox. From there, they can request potentially dangerous actions from other company members, leveraging the credibility of the compromised email address. For example, a compromised account of a business executive can send a fake invoice related to a tool supposedly used during their mission to the accounting department. This fake invoice will feature the hacker's payment details. Since the request is "internal," it's far more likely to avoid additional verification.
Stages of a Business Email Compromise
First, the hacker identifies the targets of the attack and then gathers information about the company and potential contact. Most of this data is collected through OSINT — Open Source Intelligence — via social networks, specific search engines, or specialized sites. For weeks or even months, the individual may study the company, suppliers, billing systems, and even the communication style used within the company by employees or the CEO.
Next, the attacker takes action, which involves gaining access to a professional mailbox. Thus, the hacker will often carry out a targeted phishing attack to steal login credentials (credential harvesting). They may also use other forms of attacks in more specific cases.
The compromised account is not always sufficient to successfully carry out the attack. For instance, in the case of CEO fraud, the CEO's mailbox is necessary. In this case, the next step involves obtaining a second, more relevant, and useful access for the continuation of the attack: that of the CEO.
The final stage is exploitation: retrieving and selling confidential data, requesting an IBAN change for a supplier, transferring money to an account for the CEO, etc. In the case of a transfer, the hacker often launders the money very quickly... The later the attack is discovered, the more challenging it will be to recover these funds.
How to Protect Against BEC?
To guard against attacks involving fund transfers, it's necessary to establish a strict procedure for any operation involving changes and execution of payment or payment details.
Similarly, understanding the confidentiality level of the information within certain systems (HR, CRM, etc.) and being aware of the impact of potential leaks is essential for adhering to protective procedures.
Sensitive operations should have precautionary measures to prevent them from being carried out without undergoing security checks. The simplest method is to institute a form of multi-factor verification, requiring phone validation in addition to email, with proof of identity.
It's also important to monitor suspicious connections that could affect email systems. For example, if connections to colleagues' mailboxes come from countries where the company doesn't operate, it's sensible to be concerned about the source of these connections. Probes should be placed on the network to identify potential threats like compromised accounts, protect against them, and eradicate them as quickly as possible.
Another protective measure is to regularly monitor data about the company that is publicly accessible. Thus, the information available during the OSINT phase will be limited.
Lastly, remember that the primary attack vector for these attacks is credential harvesting. Therefore, it's vital to train employees against phishing, one of the most popular sources of credential collection.
Business Email Compromise (BEC) attacks are common and effective scams.
Compared to the operation's cost and the low level of technical skill required to launch such an attack, they are very profitable, making them popular. These scams are still too prevalent in the digital world. With more training and awareness, the number of BEC attacks targeting companies would decrease over time.
BEC is a serious threat, but it is entirely possible to safeguard against it with simple measures such as training a company's employees against phishing.