“The money is the same, whether you earn it or scam it.” Bobby Heenan
A BEC attack begins with a cybercriminal hacking and spoofing emails to impersonate your company’s supervisors, CEO, or vendors. Once in, they request a seemingly legitimate business payment
Also known as whaling or CEO Fraud, these attacks typically involve cybercriminals posing as senior executives or businesses via a personalised email and demanding urgent action from an unsuspecting recipient.
These actions usually include making an unapproved financial transfer or revealing valuable confidential information – actions that can lead to immensely costly and severe repercussions.
So, what is all the fuss with Business Email Attack (BEC)?
BEC attacks aren’t as well-known as ransomware or other forms of cybercrime, but it’s nonetheless a very significant threat to small businesses and even larger ones.
The Australian Competition & Consumer Commission (ACCC) found in its newly released Targeting Scams report that businesses in Australia lost $132 million to BEC scams in 2019. This was, in fact, the highest loss accrued across all scam types last year.
The figure was much worse in the US, with the FBI reporting in its 2019 Internet Crime Report that American organisations lost US$1.7B to BEC scams last year. In addition, over a three-year period between June 2016 and July 2019, the FBI recorded 166,349 domestic and international instances of BEC, resulting in a total exposed dollar loss of over $26B.
Real Challenges Facing Executives
Even intelligent, cyber-savvy CEOs are not safe when targeted with a cleverly worded, socially engineered email. Smart cybercriminals understand this and often target not only professionals within companies but specifically CEOs of those companies, knowing they are custodians of large amounts of money & valuable data and are hence lucrative targets.
The Threat Is Real And Evolving!
Unfortunately, the chances of this happening are exploding amid the volatility of current times.
A BEC attack primarily plays on the psychology of the target. By mimicking a high-ranking executive, for example, cybercriminals utilise the power and influence the executive holds to drive immediate, unquestioning action from the target.
These attacks are very much a hack against humans, rather than against a computer. And right now, the odds of this hack being successful are skyrocketing.
Current BEC scams are exploiting the immensely fragile psychological state of many professionals who are dealing with a torrent of unprecedented challenges triggered by the ongoing COVID-19 pandemic.
It won’t be surprising for someone in the finance department to receive an email, supposedly from the CEO, requesting an unexpected bank transfer, like the below (source: MailGuard):
According to MailGuard, leading security for cloud email and web services have identified that hackers have been privy to very confidential information. This includes the company’s banking details, registration numbers, specific email addresses, and so on.
They have found that hackers have managed to obtain all this information by expanding their scope of research and gathering data on the company and individuals involved via the Dark Web or from previous data breaches.
Before the first email is sent, the hackers usually conduct thorough reconnaissance to research the company. Often much of the information that the attackers require is readily available from company websites and social networks like LinkedIn. The scammers can gather the organisational structure, contact details, location and role titles of executives and employees.
They are also getting increasingly opportunistic, being more conscious of local trends, current news and climates. For example, as tax time approaches for Australians, BEC scams typically tend to rise as requests for tax forms and sensitive financial information usually escalate in this period. Taking advantage of this, cybercriminals tend to imitate or exploit CFOs due to their influence over financial matters, as per the below example:
Specifically, during this period, MailGuard have also seen BEC scams that deviate from simple plain-text emails without any attachments to those spoofing popular accounting software such as Xero or MYOB with well-designed invoices demanding payment.
MailGuard revealed that the structure of BEC attacks is also changing. For example, they have seen that in some BEC scams, there is no damaging action required in the first email sent to the recipient.
The first email is simply trying to establish a dialogue and determine if the target is available, as in the below example. The request for a funds transfer, for instance, is made in follow-up emails.
Scammers are also investing more time and effort into producing communications which look and sound more authentic. In some instances, senior graphic designers and/or legal experts are being employed by cybercriminals to design contracts and use high-quality branding within emails.
What Can You Do To Protect Your Business From BEC Attacks?
Cyberattacks like these are unique in that they leverage not only on technical weaknesses of trusted systems but also heavily on people’s normal behaviours, their psychology and state of mind. To avoid getting tricked by these attacks, here are four tips you and your teams can follow:
First, Take Your Time
If you have received an unexpected email, check who it was sent by. Examine the sender or reply-to address and check that it hasn’t been sent from a similar, but recently registered domain such as example.com instead of example.com.au.
Be alert for strange sentence structure, or phrasing uncommon to the apparent sender
Don’t trust, but verify! If you think that the email is legitimate, verify first. Contact the person in a different though a different communication method.
Educate Your Staff
Education is key. Ensure all employees are aware of the formal transfer procedure in place and what to do if they ever received unusual requests.
Teach staff and employees what fraudulent emails look like. Show them real-life examples of BEC attacks that have been occurred in the past and question them on how they would have responded to the scam emails.
Executives should also learn to take special care when posting and sharing information related to work schedules on social media sites.
Implement Cloud Security
Utilise cloud email and web protection. We highly recommend companies take it as your first line of defence. Security vendors like MailGuard, Cyren and other providers provide such services.
Setup Policies And Controls
Ensure a formal payment or transfer process is well communicated within the entire office. If employees are ever in doubt about transferring funds, ring the apparent sender on a known number.
Implement scam-proof approvals processes for financial transfers such as two-factor authentication, which requires two employees to sign off on wire transfers.