Employees still falling for business email compromise attacks

A type of fraud that involves impersonating a representative from a trusted business, business email compromise attacks is a big concern for organizations.
15 March 2022

Business email compromise (BEC) attacks continue to be a persistent pest targeting businesses across the planet. A type of fraud that involves impersonating a representative from a trusted business, BEC attacks have actually been around for some time and despite numerous solutions and education provided about it, these attacks continue to see an increase.

In fact, according to Verizon’s Data Breach Investigation Report, BEC attacks were the second most common type of social engineering attack in 2021. The BEC threat actor often pretends to be a trusted person and uses methods such as phishing to get their victims.

Not only are business email compromise attacks disrupting the workflow in organizations, but it has also resulted in huge losses. The FBI reported that BEC attacks cost US businesses more than US$2 billion from 2014 to 2019. The FBI also reported several different BEC scam variants including the use of phishing kits that impersonate popular cloud-based email services.

Cybersecurity vendor Kaspersky also notice an increase in business email compromise attacks. In Q4 2021, Kaspersky prevented over 80,000 BEC attacks, with the greatest number (5037) occurring in October. Throughout 2021, the company’s researchers closely analyzed the way fraudsters craft and spread fake emails.

Interestingly, they found out that the attacks tend to fall into two categories, large-scale and highly targeted. The former is called “BEC-as-a-Service”, whereby attacks simplify the mechanics behind the attack in order to reach as many victims as possible. What happens is that the cyber attacker will send streamlined messages en masse from free mail accounts, with the hope of snaring as many victims as possible. These messages often lack high levels of sophistication, but they are efficient.

Meanwhile, some cybercriminals are turning towards more advanced, targeted BEC attacks. A cyberattacker first attacks an intermediary mailbox, gaining access to that account’s e-mail. Then, once they find a suitable correspondence in the compromised mailbox of the intermediary company (say, financial matters or technical issues related to work), they continue the correspondence with the targeted company, impersonating the intermediary company. Often the goal is to persuade the victim to transfer money or install malware.

What’s more concerning is that the targeted BEC attacks have been proven to be more successful many times. This is because many recipients of such emails often take them for granted and fall victim. Most victims only realized they have been compromised after the cybercriminals makes off with some funds from them.

Moreover, since the target is engaging in the conversation referenced by the attackers, they are far more likely to fall victim to the scam. Such attacks have proven to be highly effective, and that’s why they’re not only used by small-time criminals looking to make a quick profit.

Will business emails continue to be a compromise? 

For Roman Dedenok, a security expert at Kaspersky, BEC attacks have become one of the most fast-spreading social engineering techniques. He believes the reason for that is pretty simple — scammers use such schemes because they work.

Dedenok explained that while fewer people tend to fall for simple mass-scale fake emails now, fraudsters started to carefully harvest data about their victims and then use it to build trust. Dedenok pointed out that some of these attacks are possible because cybercriminals can easily find names and job positions of employees, as well as lists of contacts in open access.

Oleg Gorobets, Senior Product Marketing Manager at Kaspersky also highlighted that with remote working practices and cloud storage becoming the ‘new norm’, coupled with the growth of poor digital hygiene, the emergence of new scam methods leveraging these gaps in enterprise security is a possibility.

“A good example of this is email-borne threats reaching the endpoint level, which can occur when using bundled “good enough” email security from telco or cloud mail provider. Using a specialized security solution and a well-tested technology stack, backed with quality threat data and machine learning algorithms can really make a difference,” commented Gorobets.

As always, businesses need to educate their employees on how to detect phishing or BEC scams. While there is a myriad of cybersecurity solutions to provide some protection, at the end of the day, it will go down to the employee. If an employee is vigilant in checking their emails and not clicking on any links, BEC attacks can be reduced.