Imagine this scenario: it’s tax season, and you work in the HR department. Your CEO sends you an email requesting copies of employee W-2s that include names, addresses, Social Security numbers, income data and tax information. With the sense of urgency that the tax season brings and a direct request from your CEO, what should you do?
You wouldn’t think much of it, most likely. It’s not that unusual of a request, so you provide the needed information. Well, now that information is used by attackers to file fraudulent tax returns, or put up for sale on the dark web for future misuse by other cyber criminals.
How did this happen? The email evaded your spam filters, the sender email looks identical to your CEO’s and it even has their photo on the email account. This is a very common case of business email compromise (BEC) attack. And they’re on the rise.
Now that they’ve been under scrutiny by the FBI for years, we have some frightening statistics on their advancements: In 2020, the FBI IC3 received nearly 20,000 complaints about BEC, with reported losses due to the attacks increasing to $1.86 billion from $1.29 billion in 2018. And with cybercriminals leveraging business email compromise to target businesses more and more over the past year, we’ll take a look at what these attacks are, their different types, how you can spot their hard-to-detect threat, best practices for preventing them, and how you can stop them.
What is a business email compromise?
Business email compromise is a very damaging type of cyber crime in which cyber criminals impersonate the email account of an employee, executive or vendor of a company, for the purpose of requesting that the recipient (someone from the company) divulge sensitive information, make payments or even share information about their company’s proprietary products or technology.
Unlike the usual phishing campaigns with fake emails that are easy to spot, BEC attacks are highly targeted. This means they can fall under the spear phishing umbrella, with victims thoroughly researched to ensure they can make and authorize the payments, and that they have the sensitive information the attackers are after.
Because they’re so highly targeted and expressly use social engineering to carry out attacks, they’re not easy for spam filters to detect and block. Attackers can also register lookalike domains that aren’t on any block lists at the time of the attack, further helping them successfully evade detection. And with emails that often contain no links or attachments, only a written request, antivirus solutions can do very little about them, if anything at all.
How BEC attacks work
Because business email compromise leverages social engineering, cyber criminals don’t need to use advanced tools or even need to be that technically proficient to execute them. BEC attacks usually start with reconnaissance that can span days or weeks, looking for information about their target organization and its employees, allowing attackers to carefully choose the victim as well as the person they’ll impersonate.
As mentioned before, victims are usually executives or employees who are authorized to make payments on behalf of the organization or have access to sensitive employee information, such as those in the HR department. Attackers can perform recon and use OSINT by visiting websites, press releases, social media profiles and posts, LinkedIn, company partners, investors and the like, all to build a profile on their target organization and its personnel.
Once attackers have enough information to select the appropriate victim and the “sender” they’ll impersonate, they’re ready to set up the attack. And in order to take on the sender’s identity, to make the fateful request of payment or informational access, attackers can use various approaches. These include:
- Lookalike domain: Attackers can register a domain that closely resembles the legitimate one—for example, email@example.com instead of firstname.lastname@example.org, which can easily trick victims into believing its authenticity.
- Spoofing email: In spoofing attacks, cyber criminals forge email headers to display the sender address as belonging to an individual the recipient trusts.
- Spear phishing emails: To avoid having to register a new email and “praying” that the victim will believe it’s legitimate, attackers can take control of the email account of the individual they want to impersonate—by using spear phishing emails to gain access, or to get the details they need to carry out the attack.
Now that the attackers have successfully obtained the needed information and used one of the above techniques to assume the identity they’ll use, it’s time to send the email. Attackers need to act fast, however. If they’re requesting a transfer of funds, it can be easily discovered by an organization. That’s why BEC attack emails usually come with a sense of urgency, persuasion and clear authority, helping to gain the victim’s trust. Such efforts can take place over one simple email, or even through a long stretch of communication, building a relationship of trust even further.
Types of business email compromise attacks
There are several types of business email compromise attacks out there. Here are the ones we see most commonly used in the wild:
The CEO fraud type of BEC is the scenario we presented at the beginning. Attackers assume the identity of the CEO, or that of another executive of an organization, and send an email to someone in the financial or HR department. This email requests the transfer of funds to an account belonging to the attacker for some business deal they just closed or to get highly sensitive information about employees or partners. The victim, believing to be helping their CEO (and doing good for the company), won’t be prone to second-guessing this type of fraud—which makes CEO fraud a highly successful tactic for attackers.
Fake invoice scheme
In this type of BEC attack, cyber criminals impersonate an account that is usually used to request invoice payments, or that of an actual vendor of the organization. They then send an email requesting payment for services performed by the vendor and will even use the expected template for it, with the legitimate recipient’s bank account information changed to the attacker’s.
In attorney impersonation, low-level employees are targeted for their lack of experience with legal requests and processes. Attackers will pose as a lawyer or legal representative and act under a veil of confidentiality and time-sensitivity to appear legitimate. This helps them avoid scrutiny and will persuade the victim to act fast, thinking they’re doing the right thing.
As seen in our first example, attackers don’t leverage BEC attacks only to steal money and get it transferred right away. They might be targeting HR to steal sensitive information about employees that can help them execute further cyber attacks or to put up for sale on the dark web.
In account compromise, attackers take over the account of someone in the organization via phishing or malware, then send usual payment requests to customers, vendors or partners that go to an account controlled by the attacker.
Examples of business email compromise attacks
Let’s take a look at real-world examples of some of the biggest BEC attacks we’ve seen yet.
Not all BEC attacks are after money. In 2016, the immensely popular photo and video sharing app Snapchat announced that they were a victim of business email compromise.
An unsuspecting employee had inadvertently divulged sensitive information via email to what appeared to come from company CEO Evan Spiegel. Thinking it was a legitimate request, the employee handily provided sensitive information including employees’ Social Security numbers, tax information, payroll information and healthcare plans. Snapchat claimed the email was an isolated event and that the breach was dealt with in a matter of hours. They also offered each affected employee two years of free credit monitoring and up to $1 million in reimbursements.
One Treasure Island
One Treasure Island, a nonprofit geared toward redeveloping Treasure Island in San Francisco Bay to a place for low-income and formerly homeless people, was targeted by attackers just before Christmas of 2020.
The attackers broke into the email system of the nonprofit’s bookkeeper and began using email addresses similar to those of people associated with the organization. Then, they posed as One Treasure Island Executive Director Sherry Williams to email a member of the organization who was expecting a loan. The email said that the payment for the loan would be delayed. They then took a legitimate invoice that the member had emailed to Williams—and sent it again, after changing the recipient’s bank account information to one they were controlling, for payments that ultimately amounted to $650,000.
To date, One Treasure Island has only recovered around $37,000.
Facebook and Google
One of the biggest business email compromise attacks ever, this one hit the two giants: Facebook and Google. While BEC attacks are considered to be quite simple, this case shows that no company is too big to fall victim to them.
Evaldas Rimasauskas created an elaborate scheme that resulted in him lifting over $100 million from both companies. He then set up a company in Latvia, impersonating a Taiwan-based hardware company that is a known business associate for both Google and Facebook. Rimasauskas then sent fake invoices, contracts and letters to various companies, billing them for millions of dollars from 2013 to 2015.
Ultimately, Rimasauskas agreed to forfeit $49.7 million and was sentenced to 5 years in prison.
Ubiquiti Networks, a Silicon Valley maker of networking technology for service providers and enterprises, was scammed out of nearly $47 million in a 2015 business email compromise attack. The incident involved employee impersonation and fraudulent requests from a third-party entity targeting the company’s finance department. The scam led to the transfer of $46.7 million held by a Ubiquiti subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.
How to spot business email compromise
Business email compromise attacks are highly targeted and crafted to fool victims into believing payment or confidential information requests are legitimate and nothing out of the ordinary. This can make them challenging to recognize, but there are ways to avoid falling victim to a BEC attack.
Remember how we said that requests emailed by attackers are time-sensitive and have a sense of urgency about them? Well, they’re also usually followed with spelled-out consequences if the request is not fulfilled.
Investigate the email, and look for these tell-tale signs: Is the request something the sender usually asks for? Is it asking for confidential information to be given over email, something that is not a common practice in your organization? Does the account to which the funds should be transferred look familiar? The sender might also request for the conversation to remain confidential.
Once you get an email like this, your best step is to actually confirm the identity of the sender and the validity of the request. Avoid using email as you might again be communicating with the attacker, but use another way to communicate with the person from whom the email appears to be coming from, and confirm that they actually made the request. Verify the sender address numerous times, and ensure that you haven’t missed a lookalike domain that might bear only one small difference from a legitimate one.
Simply put, be suspicious and slow down. Don’t act out of urgency, despite the sender’s pressure in getting you to do so.
Best practices to prevent business email compromise attacks
As they’re hard to spot, the best advice we can give on business email compromise attacks is to be proactive instead of reactive. Following these best practices to stop BEC attacks is the first line of defense and will, at the very least, decrease your chances of suffering this highly damaging form of cyber attack.
Label emails coming from outside the organization
While email servers usually have this enabled, make sure that rules are set up to flag messages coming from outside the organization as well as external messages coming from your organization’s domain name. DKIM can also be used to discard email that doesn’t match the domain of the originating mail server.
Using multi-factor authentication can go far in adding another layer of security, especially when attackers try to take control over an email account they intend to use for BEC attacks. This will ensure that attackers won’t be sufficiently equipped with only the email or username and password to log into a compromised account, but will require them to provide an additional form of authentication, such as a code sent to a phone or another device, or that they will have to pass inspection through an authentication app or something similar.
Maintain strict procedures for wire transfers
Strict policies and procedures over wire transfers are a must for protecting your organization from any type of financial fraud. Ensure that all staff are aware that a request to change payment information or type is verified through regular channels of communication and that the identity of the person or entity requesting the change is verified through previously known numbers or emails, not the one on the current request.
Because BEC attacks rely on social engineering and fooling unsuspecting victims, not even advanced security solutions and tools will be of much help. The most important practice in preventing business email compromise attacks is by growing and nurturing a cybersecurity culture in your company that puts a focus on being aware of signs of fraud, spoofed emails, and fake requests; lets all employees know to whom they should report suspicious behaviour and emails; and trains them in how to act when unusual requests hit their inbox—even if they appear to come from the CEO.
Ultimately, always be suspicious and doubtful. Even if the common signs of business email compromise are missing from a request you’ve received, always question requests and make an effort to verify the identity of the sender and the legitimacy of the request. Be skeptical of unusual deadlines and emails that ask for confidentiality; forward the email to higher-ups, and slow down. Don’t act out of panic or feel pressured because the email came through during your day’s busiest hours; cyber criminals often use that tactic to catch you off-guard. Trust your gut—and if something doesn’t feel right, report it.
Use solutions like SecurityTrails Feeds™
The SecurityTrails Feeds™ can help you to identify malicious domain names that look like the legitimate one. Feeds help security teams to watch over suspicious activity by inspecting domain names to prevent potentially malicious campaigns including ones that feature domain variations that can be used for BEC attacks on your organization. Once you download Feeds (or query SecurityTrails API™) and integrate them into your own apps, it’s easy for security teams to track and detect critical domain information as Feeds are updated daily.
Email and financial fraud have been with us since the very beginning of the internet. And while the “Nigerian prince” or your aunt from across the pond asking for your bank account information to transfer your inheritance now seem like nothing more than laughable scams, cyber criminals have substantially evolved their tactics.
With attacks like BEC, attackers rely on human psychology to exploit the trust employees have in their executives and vendors, as well as their desire to do the right thing for their company. And while BEC can be difficult to prevent, it’s not impossible to raise enough awareness across your organization to effectively put a halt to these attacks.
As we’ve said, just keep being skeptical and suspicious. When it comes to cybersecurity, that’s always the best stance to take!