E-mail Compromise: How to Protect Business Against BEC-attacks
27.09.2023
Back to blog listBy Sergio Bertoni, The senior analyst at SearchInform
Attacks via email is one of the most beloved cybercriminals’ methods for compromise of organization’s data.
Only during the 2022 the number of Business Email Compromise (BEC) attacks doubled, according to the Computerweekly. What’s more, according to the IBM Cost of Data Breach Report 2022, business email compromise and phishing attacks turned out to be the most expensive breaches, resulting in $4.89mln and $4.91mln respectively. According to Research and Markets, the global BEC market is expected to grow from an estimated value of USD 1.1 billion in 2022 to USD 2.8 billion by 2027, at a Compound Annual Growth Rate (CAGR) of 19.4% from 2022 to 2027.
The senior analyst at SearchInform, Sergio Bertoni reveals, why BEC attacks are so popular and how to protect against them.
Cybercriminals’ aims and implications for businesses.
A BEC attack is a social engineering attack that is aimed at compromise of a corporate mailbox. Before the attack implementation, intruders gather information about the victim and the company the person works for. It isn’t difficult for a cybercriminal to obtain and use the data gathered against the victim and his/her colleagues, since many employees openly publish information about themselves in blogs and on social networks; for instance, they reveal, where do they work and what is their position in the company, where are they going on a vacation, etc. However, data on organization’s executives, such as email addresses and business trip dates is even more preferable for intruders. Malicious actors are also extremely interested in details on company’s payments and accounts. If intruders have access to such data, it’s much easier for them to deceive, for example, a chief accountant and persuade the employee to transfer money to a fake account.
In order to implement an attack an intruder can hack an organization or its contractor’s email. After reading the correspondence - simulate the continuation of the correspondence, using the information obtained for their own malicious purposes. But cybercriminals do not always send emails via hacked email, they can register a phishing domain that looks like the original one and continue correspondence via this email. For instance, they can create a mailbox with the @serchincom.com domain instead of @searchincom.com domain. This method of spoofing is called typesquatting, when malicious actors use the company's domain name with an erroneous spelling.
In 2019, with the help of this technique malicious actors managed to steal $1 mln from the Chinese venture fund, which planned investments into the Israeli start-up. Cybercriminals intercepted the correspondence between two companies and sent messages to the fund representatives on behalf of start-up employees and vice versa. In order to implement the attack, intruders used fake domains, which differed from the original ones only by one letter, which was added to the end of the domain name.
Popularity of this type of attacks may be explained with the simplicity and quickness of its implementation. According to the recent survey by Microsoft Security Intelligence, the whole process, starting from the first log to the deleting of the sent message can be performed within 2 hours. It should be mentioned, that intruders manage to gain significant financial benefits or achieve other aims, for instance, obtain access to the infrastructure or confidential data.
Recently, intruders started to implement BEC-attacks in order to steal physical assets (for instance, goods). A sugar supplier was nearly affected by such an attack. The intruder asked in correspondence to send a truck on the certain address on credit. However, the employee of the sugar supplier company notices that a mistake: an extra letter was added to the sender’s email address. The employee got in touch with the representative of the company, on behalf of which the letter was sent, to make sure that the email sender really was the staff member of the company. However, the reply was negative. Thanks to the employee’s attentiveness, the cyber criminal didn’t manage to steal the product.
It’s crucial to attentively check the sender’s email address. What’s more, forged emails often contain few mistakes. In case an email is a suspicious one, it’s useful to get in touch with a representative of a company, on behalf of which the email was sent and make sure, that their employee really sent the email. But make sure to connect with the representative via legitimate and verified channel, not by replying to the suspicious email. For instance, you can make a call to the head office and find out, whether the email sender really works for the company and if he/she sent the letter.
How else a BEC-attack may look like
In fact, email services aren’t the only tool, which intruders use to perform attacks. Not so long ago cybercriminals began using video conference software, for instance, ZOOM, in order to make employees send money or share some confidential information. In such case, intruders usually use deepfake technologies to commit fraud.
For instance, an intruder hacks an executive’s email and sends employees an invitation to join a videoconference. During the call the intruder fakes the video and types a message in the chat that there are some problems with the connection or that he/she has problems with the microphone. Then, the intruder adds that he/she wants employees to make a money transfer and explains, where money should be sent to.
Most often, such incidents are detected in the USA, however, it’s quite probable that with the further development of the technologies, used for deepfake creation develop and their price decrease, intruders in other countries may also start to actively use such technologies for their malicious aims.
It’s possible to prevent BEC-attack. In order to successfully cope with the task, it’s required to be acknowledged about the information security rules and stick to the recommendations by information security experts.
Building protection against corporate email compromise
Intruders implement social engineering techniques to perform BEC-attacks and it’s important to ensure complex protection against them. One the one hand it’s crucial to enhance employees’ information security and general computer literacy, on the other hand it’s required to implement specific protective solutions and develop specific regulations for staff members which will help to enhance of corporate protection.
Enhancing employees’ competencies in information security related issues is a crucial aspect in terms of enhancing corporate safety. If an employee isn’t acknowledged about the existing risks, he/she won’t recognize a phishing letter at the first attempt, what will result into large financial losses for an organization. However, there is much organizations’ employees in charge can do themselves in terms of employees education in information security related issues. For instance:
- Reveal, what are phishing and BEC attacks
- How to distinguish fake email from a real one
- Occasionally imitate attacks, for instance phishing attacks (to check, whether employees understood the theory and are aware of security recommendations).
If your organization lacks experts and resources for developing a training program, there is an option of contracting third party experts. For instance, our company experts have been conducting cyber literacy training for employees of various companies and state institutions for three years yet.
What’s more, it may be a useful option to share a few memos with employees. The memos help to mitigate risks, associated with a number of threats (phishing emails, use of unreliable passwords, installation of programs, etc.)
The second step is to deploy tools for protection of email services. Such software ensures protection against external threats, for instance, NGFW helps to block potentially malicious network traffic, antispam software reduces amount of phishing emails, SPF, DKIM and DMARC protocols help to verify whether email senders are legitimate.
Some solutions for mitigation of internal threats can also help to deal with the task. For instance, some time ago we also added the functionality, which detects cases when the domain and the sender’s real address differ to our DLP solution.
What’s more, it’s helpful to develop specific regulations, which will govern how employees should behave in various situation, including potentially dangerous ones.
There is a step change taking place in the amount of BEC attacks. According to ComputerWeekly, the volume of Business Email Compromise (BEC) attacks doubled during the course of 2022. This means, that companies have to ensure advanced protection and thus reduce risks and outcomes of corporate email compromise.
