Business email compromise has come a long way since its advent in the '90s. Estranged relatives and Nigerian princes were ever in crisis; they needed money wired abroad -- and fast.
In hindsight, such scams sound rudimentary. But the BEC formula used today has hardly evolved, despite significant advancements in technology and attack techniques. That's because BEC relies on the one weakness that cannot be solved by innovation: the human factor.
In BEC scams today, attackers use spear phishing attacks and credential theft to compromise email accounts and gain access to internal communications. They then manipulate human psychology and business functions to trick employees into sending sensitive data or money to malicious actors disguised as people they trust.
It's easy to see why BEC attacks work. Preventing them, however, is not so simple -- especially when attackers rely on cognitive biases. Distinguishing between genuine and fraudulent email communications is challenging enough -- and it's also only part of reducing BEC risk.
Only 12% of spear phishing attacks were linked to BEC last year, according to Barracuda Networks. But don't be fooled into a false sense of comfort. BEC attacks are far more financially devastating and more challenging for security teams to prevent.
IT leaders need to understand how BEC works as the attack is embraced by the cybercriminal community for its effectiveness and hefty payouts. Here, explore five BEC examples to learn about tried-and-true tactics and red flags.
1. Supply chain BEC scams
The Toyota Boshoku Corporation scam of 2019 became a marquee BEC attack due to the high-profile victim and the massive payout. It also showed how social engineering can bypass even the most sophisticated security programs because it targets people instead of infrastructure, according to Proofpoint.
Attackers contacted the finance and accounting department of a Toyota Boshoku subsidiary and posed as a legitimate business partner requesting payment. They created a sense of urgency in their request, claiming the transaction needed to be completed ASAP or they risked slowing down Toyota production -- a textbook BEC tactic. Unfortunately, it worked. Someone at the company transferred more than $37 million in a parts order to the scammers, one of the highest reported BEC losses ever.
"A common attribute of BEC attacks is targeting people who deal in big money transactions," said Dave Gruber, analyst at Enterprise Strategy Group, a division of TechTarget. Since car manufacturers buy expensive parts in bulk quantities, he said, Toyota Boshoku was a logical target for BEC scammers -- and it paid off.
Scammers use this attack pattern in BEC fraud.
2. Faith-based fraud
Where there is a will to pay the bill, there is a way to be exploited. The Saint Ambrose Catholic Parish in Brunswick, Ohio, learned this lesson after losing $1.75 million in a BEC attack in 2019. According to the FBI's investigation, hackers compromised two parish email accounts and swindled the church by impersonating a contractor. The fake Marous Brothers Construction company called to explain that its payment information had recently changed and that it had not received payment for the previous two months' expenses.
"This was shocking news to us, as we have been very prompt on our payments every month and have received the appropriate confirmations from the bank that the wire transfers of money to Marous were executed," Father Bob Stec wrote in a statement to the Saint Ambrose community.
In compromising two email accounts, hackers observed conversations regarding payment recipients, due dates and amounts and then used that information to devise the perfect fraud -- a tactic common in BEC attacks.
Regarding faith-based organizations and other nonprofit victims of BEC, Gruber pointed to the donation-based finance model -- and inherent trusting mentality.
"These are vulnerable organizations because they're more trusting. No one is off-limits," he said.
3. Gift card-related BEC scams
Gift card schemes have long been popular with cybercriminals because the cards operate similarly to cash. Once the card balance is used, the value is dollar gone and so is the scammer.
The FBI's Internet Crime Complaint Center issued an alert on gift card scams after a 1,240% increase in the number of complaints received between January 2017 and September 2018. Victims received a spoofed email from attackers masqueraded as authority figures who asked them to purchase gift cards for personal or business reasons.
Social engineering is key to effective gift card-related BEC scams. A similar string of attacks targeted Jewish temples and synagogues in 2019. Rabbis in Virginia, Tennessee, California and Michigan were impersonated in emails, with congregants asked to purchase gift cards for a fundraiser and email pictures of the serial numbers.
This example of BEC is on the rise once again, recurring especially during holidays and Black Friday. According to a report from the Anti-Phishing Working Group, 66% of BEC attacks included a request for gift card payment in the second quarter of 2020.
There are two different strategies from the adversary standpoint: You can go after the whales or go after the basses.
Dave GruberAnalyst, Enterprise Strategy Group
4. COVID-19-related BEC scams
As demand for COVID-19 information surged over the past year, so did the number of coronavirus-themed phishing attacks. BEC scammers capitalized on the opportunity, crafting fraudulent emails purporting to contain critical information about the virus's transmission, personal protective equipment (PPE), vaccination and lockdown policies. Phishing lures appearing to be from trusted sources, such as the World Health Organization, contained a variety of malware -- and misinformation.
"There are two different strategies from the adversary standpoint: You can go after the whales or go after the basses," Gruber said. BEC scams during the pandemic have included both approaches.
For example, the FBI received multiple reports of COVID-19-related BEC fraud targeting large healthcare organizations and state government agencies. Victims wire-transferred large sums of money to fraudulent sellers in advance of receiving items, including ventilators, PPE and other limited medical supplies.
Other BEC scammers focused on smaller targets at scale. Fake emails urgently requested victims' credit card information to purchase a dose of the limited COVID-19 vaccine, for example.
"These mini-BEC campaigns are still happening every day," Gruber said. Though scammers may only steal a few hundred dollars in this type of spray-and-pray approach, if successful, that can start to add up, Gruber added.
5. Tax season BEC scams
Each tax season, W-2 BEC scams crop up like clockwork. This BEC example uses social engineering to identify and impersonate a CEO, whose account is used to email the HR manager requesting copies of employee W-2s. If the HR manager provides the documents, employee personal information -- including Social Security numbers, names, addresses, income and tax withholdings -- is compromised. Attackers can file fraudulent tax returns with the data or sell it to the highest bidder on the dark web for further potential misuse.
Anything that has a time deliverable urgency is ripe for exploitation in a BEC attack, including tax filing, benefits enrollment deadlines or an upcoming audit.
"Attackers prey on people whose actions may be driven by emotion. The urgency and fear of taxes can cause the emotional element to become the driver," Gruber said. "These are human attacks."
Following a massive spike in 2017, the IRS, state tax agencies and industry bodies issued a joint alert encouraging employers to educate payroll staff about the trend. Awareness has paid off some -- W-2 scams constituted just 2.5% of all BEC attacks in 2019, according to the Agari Cyber Intelligence Division. As with any security awareness training, repetition and retraining are key to not letting an organization's guard down.
CEO impersonation is a common tactic in BEC scams.
Business email compromise red flags
BEC attacks typically target individuals with access to financial records and other sensitive information. However, BEC prevention involves making everyone more aware of email security risks and social engineering red flags, said Davin Singh, technical account manager at IT managed services provider Bit by Bit.
"When they get an email, everyone needs to check who it is from and analyze the date, subject line, attachments and hyperlinks," Singh said. "Even if it's well crafted, one of these things is going to be slightly off."
In a Queens Chamber of Commerce webinar titled "Identifying Phishing & Business Email Compromise Attacks," Singh joined cyber liability consultant Sean O'Rourke of Combs & Company to discuss the following BEC red flags:
Requests for personally identifiable information through email. Email is an insecure communication method. Requests should always be verified by contacting the sender through a different means of communication, such as phone or in-person contact.
Atypical payment requests. Beware of sudden claims of payment or wiring information changes. Always confirm these updates before sending money to a new account.
Urgent language. Approach unexplained urgency with a healthy dose of skepticism before rushing to meet the sender's request.
Advance fee request. Without having any product or service delivered first, question the legitimacy of the invoice before processing payment.
Anomalous account behavior. Look out for unusual email account behavior, such as automatic forwarding rules.
Generic salutations. Most emails from financial institutions are addressed to the name of account holder, so be suspicious of "Dear Customer" greetings.
Sudden changes in norms. Confirm any unexpected changes in processes or requests through a secure line of communication before complying.
Business email compromise prevention tips
Industry veterans O'Rourke and Singh also shared the following BEC prevention tips for security leaders:
Document payment processes. Establish and distribute written procedures for conducting financial transactions, such as in-person or over-the-phone confirmation.
Perform security awareness training. Users need to understand email security risks to the business and their role in mitigating them.
Implement phishing tests.Phishing test results help organizations identify high-risk employee behavior and assess the effectiveness of security awareness training.
Avoid the blame game. Build a healthy security culture, where employees are comfortable asking questions and reporting security incidents without fear of discipline.
Nail down security basics. Make sure infosec fundamentals are in place, such as multifactor authentication, principle of least privilege and NIST framework.
Loop in legal. Internal legal and compliance departments -- or an external cyberlawyer -- should be involved in BEC prevention and response planning.
Deploy email security products. There is no BEC prevention silver bullet, but phishing detection, anti-fraud and anomaly detection tools can limit risk of credential theft, malware and other methods of email compromise.
Audit authorization. Limit the number of employees who handle payments transactions, and ensure they understand how to identify anomalous requests and invoices, as well as procedures on what to do if a malicious request is discovered.
