For years, one of the most lucrative ways for hackers to generate profits was through ransomware attacks. These instances involve the use of strong encryption to lock victims out of their files and data – attackers then sell the decryption key in exchange for an untraceable Bitcoin ransom payment.
Now, however, another highly profitable attack style is emerging, particularly within the enterprise sector.
Business Email Compromise, or BEC, is creating considerable opportunities for cybercriminals to make money off of their malicious activity, and the sophistication and urgency of these infiltrations make them particularly difficult to guard against.
The rise of BEC
Although organizations are now becoming increasingly aware of the BEC attack approach, this strategy has actually been generating income for hackers for years now. Trend Micro researchers reported that, in 2016, attackers generated an average of $140,000 in losses by launching BEC attacks on businesses across the globe.
In the past, BEC was known as a “man-in-the-email” scam, in which hackers leverage legitimate-looking emails to support bogus wire transfers from enterprise victims. As Trend Micro researchers pointed out, these attacks can come in an array of different styles, including fraudulent invoices, attacks on the company CEO, account compromise or impersonation, and even traditional data theft.
Judging by the level of profit hackers have been able to generate, supported by the successful attacks they’ve been able to pull off, chances are good that BEC will only continue its rise in the near future.
How big of a business is BEC?
Whereas hackers caused an average of $140,000 in business losses two years ago, cybercriminals who leverage BEC schemes have been able to increase their potential for profit since then.
In July 2018, the FBI’s Internet Crime Complaint Center reported a 136 percent rise in losses related to BEC attacks, specifically between December 2016 and May 2018. Overall, this means
hackers have raked in a total of $12.5 billion in company BEC losses, spanning both international and domestic attacks. The sheer amount of loss – and profit on the side of hackers – is $3 billion higher than the prediction Trend Micro researchers made in our Paradigm Shifts: Security Predictions for 2018 report.
Fueling BEC: What makes these attacks difficult to guard against?
An increase in successful attacks translates to a rise in profits on the part of hackers, and a larger number of affected business victims. Due to this environment landscape, it’s imperative that enterprise decision-makers and IT stakeholders not only understand that these attacks are taking place, but that they also boost their awareness of the challenges in protection. In this way, businesses can take proactive action to better protect their email systems, critical data, finances and other assets.
Let’s examine a few of the factors that contribute to the difficulties in protecting against BEC attacks:
Sophisticated use of social engineering
In the instances of BEC, hackers don’t just craft a catch-all email with common language and hope it dupes their target. Instead, they take their time to complete sophisticated social engineering. In this way, they are able to use an attack style that will boost their chances of the target opening and responding to the message.
Thanks to the robust social engineering involved, cybercriminals can create incredibly legitimate-looking emails that include targets’ names, and can even appear to be from others within the organization. For example, an accountant may receive a fraudulent email request for a wire transfer from the company CEO, which includes a spoofed version of the CEO’s email address and even the CEO’s own email signature. Accordingly, he or she will be more likely to send the funds, because the email appears very real.
Lack of malicious links or attachments
While hackers’ background and foundational effort is in-depth and sophisticated, the process of delivery is surprisingly simple. BEC attacks rely on a convincing email with a strong message, meaning that the normal red flags used to identify a potential attack are lacking.
“Because these scams do not have any malicious links or attachments, they can evade traditional solutions,” Trend Micro pointed out.
Sense of urgency in the message
In addition to leveraging social engineering to include legitimate names, addresses and other details to fool victims, hackers also include a strong sense of urgency in BEC messages to encourage a successful attack. Many messages analyzed by Trend Micro researchers were found to include powerful language like “urgent,” “payment,” “transfer,” “request,” and other words that can support the overall message.
“The sense of urgency, a request for action, or a financial implication used in BEC schemes tricks targets into falling for the trap,” Trend Micro explained. “For instance, a cybercriminal contacts either the employees and/or executives of the company and pose as either third-party suppliers, representatives of law firms or even chief executive officers (CEOs), manipulating the targeted employee/executive into secretly handling the transfer of funds.”
Business Email Compromise attacks involve social engineering and strong language.
Array of different styles to appeal to different victims
In addition, the fact that attackers have established a wide variety of different attack styles means they can utilize the one that will be most successful with their target, based on their social engineering research. For instance, a hacker who wants to attack a company CEO could pose as a third-party vendor requiring payment for an overdue invoice. An attacker looking to launch an attack on a company that may not commonly use outside vendors, and thus may not fall for that approach, could pose as an internal HR employee needing personally identifiable data.
With so many different styles available, hackers have a veritable playbook to choose from and can craft the most legitimate message which will support the chances of successful fraud and attack.
Further leveraging a compromised account: Continuing the cycle
Finally, and unfortunately, the BEC cycle doesn’t have to end after a fraudulent wire transfer has been made by the victim. Once an account has been compromised, it can be leveraged to support further BEC schemes, sending phishing or other BEC messages to others within the compromised account address book.
Hackers are also positioning victims as “money mules,” according to the FBI IC3’s report. These are victims, recruited through romance or blackmail scams, that hackers use to open new accounts to leverage for BEC. While these accounts may only remain open for a short time, they provide additional, malicious opportunities for attackers.
Security experts don’t believe BEC attacks will diminish anytime in the near future. In addition to user awareness, enterprises should leverage advanced security solutions to prevent BEC intrusions. Technology from Trend Micro, which utilizes advanced strategies like artificial intelligence to detect email impersonators and machine learning to strengthen overall security, can be beneficial assets.
To find out more about how to guard against BEC within your enterprise, connect with the experts at Trend Micro today.