Protecting Your Business From Business Email Compromise (BEC) Attacks

“The money is the same, whether you earn it or scam it.” Bobby Heenan

A BEC attack begins with a cybercriminal hacking and spoofing emails to impersonate your company’s supervisors, CEO, or vendors. Once in, they request a seemingly legitimate business payment

Also known as whaling or CEO Fraud, these attacks typically involve cybercriminals posing as senior executives or businesses via a personalised email and demanding urgent action from an unsuspecting recipient.

These actions usually include making an unapproved financial transfer or revealing valuable confidential information – actions that can lead to immensely costly and severe repercussions.

So, what is all the fuss with Business Email Attack (BEC)?

BEC attacks aren’t as well-known as ransomware or other forms of cybercrime, but it’s nonetheless a very significant threat to small businesses and even larger ones.

The Australian Competition & Consumer Commission (ACCC) found in its newly released Targeting Scams report that businesses in Australia lost $132 million to BEC scams in 2019. This was, in fact, the highest loss accrued across all scam types last year.

The figure was much worse in the US, with the FBI reporting in its 2019 Internet Crime Report that American organisations lost US$1.7B to BEC scams last year. In addition, over a three-year period between June 2016 and July 2019, the FBI recorded 166,349 domestic and international instances of BEC, resulting in a total exposed dollar loss of over $26B.

Real Challenges Facing Executives

Even intelligent, cyber-savvy CEOs are not safe when targeted with a cleverly worded, socially engineered email. Smart cybercriminals understand this and often target not only professionals within companies but specifically CEOs of those companies, knowing they are custodians of large amounts of money & valuable data and are hence lucrative targets.

The Threat Is Real And Evolving!

Unfortunately, the chances of this happening are exploding amid the volatility of current times.

A BEC attack primarily plays on the psychology of the target. By mimicking a high-ranking executive, for example, cybercriminals utilise the power and influence the executive holds to drive immediate, unquestioning action from the target.

These attacks are very much a hack against humans, rather than against a computer. And right now, the odds of this hack being successful are skyrocketing.

Current BEC scams are exploiting the immensely fragile psychological state of many professionals who are dealing with a torrent of unprecedented challenges triggered by the ongoing COVID-19 pandemic.

It won’t be surprising for someone in the finance department to receive an email, supposedly from the CEO, requesting an unexpected bank transfer, like the below (source: MailGuard):

According to MailGuard, leading security for cloud email and web services have identified that hackers have been privy to very confidential information. This includes the company’s banking details, registration numbers, specific email addresses, and so on.

They have found that hackers have managed to obtain all this information by expanding their scope of research and gathering data on the company and individuals involved via the Dark Web or from previous data breaches.

Before the first email is sent, the hackers usually conduct thorough reconnaissance to research the company. Often much of the information that the attackers require is readily available from company websites and social networks like LinkedIn. The scammers can gather the organisational structure, contact details, location and role titles of executives and employees.

They are also getting increasingly opportunistic, being more conscious of local trends, current news and climates. For example, as tax time approaches for Australians, BEC scams typically tend to rise as requests for tax forms and sensitive financial information usually escalate in this period. Taking advantage of this, cybercriminals tend to imitate or exploit CFOs due to their influence over financial matters, as per the below example: 

Specifically, during this period, MailGuard have also seen BEC scams that deviate from simple plain-text emails without any attachments to those spoofing popular accounting software such as Xero or MYOB with well-designed invoices demanding payment.

MailGuard revealed that the structure of BEC attacks is also changing. For example, they have seen that in some BEC scams, there is no damaging action required in the first email sent to the recipient.

The first email is simply trying to establish a dialogue and determine if the target is available, as in the below example. The request for a funds transfer, for instance, is made in follow-up emails.  

Scammers are also investing more time and effort into producing communications which look and sound more authentic. In some instances, senior graphic designers and/or legal experts are being employed by cybercriminals to design contracts and use high-quality branding within emails.