Business Email Compromise (BEC) attacks are on the rise according to security vendor Proofpoint. In the last three months of 2016 it saw an increase of 45% in the number of attacks taking place. This is a significant increase and shows that attackers believe companies are easy targets for this type of fraud.
According to Ryan Kalember, senior vice president of Cybersecurity Strategy for Proofpoint: “Seventy-five percent of our customers were hit with at least one attempted BEC attack in the last three months of 2016—and it only takes one to cause significant damage. Our research shows static policies cannot keep up as attackers are constantly changing their socially-engineered messages. Organizations need detection, authentication, visibility, and data loss prevention to ensure they don’t fall victim.”
What is a BEC attack?
There are several types of Business Email Compromise attacks. All rely on targeting key individuals inside organisations to get them to transfer funds urgently. They look to exploit trusted individuals and use hacked email credentials or spoofed accounts.
In some cases the emails appear to come from a CEO or a Finance Director. They create a sense of panic over a missed payment or threat of legal action if a payment isn’t made urgently. The email then tells the person it was sent to that they have to make the payment urgently. This attack relies on an individual not being prepared to question the instruction or checking it is real with the person who supposedly sent it. In some cases the criminal has had control of the email account of the executive. This means that emails looking for clarification can be responded to adding to the authenticity of the attack. To discourage any phone calls or other types of communication the email often says they are going into a meeting or getting on a plane and cannot be contacted.
Another type of attack relies on the criminal creating false bank accounts for companies. They then contact customers telling them that their bank account has been changed. They ask them to make all payments to the new account. This type of attack plays on the relationship between the company and its customer. It has been successful over the last few years, netting millions of pounds for criminals.
Five key finding from the Proofpoint survey
Proofpoint surveyed 5,000 companies across several countries. It has listed five key finding from its research. They are:
- BEC attacks increased by 45 percent in the last three months of 2016 vs. the prior three months. 2/3 of all BEC attacks spoofed their email address domain so that their fraudulent emails displayed the same domain as that of the company targeted in the attack.
- Companies of all sizes are prone to BEC attacks. Proofpoint data indicates no correlation between the size of the company and BEC attack volume. Larger companies make for attractive targets because they have more funds to draw on and greater organizational complexity to hide behind, even if they tend to have stricter financial controls. And while smaller companies may not yield the same returns, the relative absence of financial controls makes them more vulnerable.
- Manufacturing, retail and technology organizations are generally more targeted with BEC attacks.Hit repeatedly every month, cybercriminals look to take advantage of more complex supply chains and SaaS infrastructures which often accompany these industries.
- While CEO impersonation continues in BEC attacks, cybercriminals are increasingly targeting victims deeper within organizations. There is a shift beyond simple fraudulent CEO-to-CFO BEC attacks to CEO-to-different employee groups. For example, to accounts payable for wire transfer fraud attempts, to human resources for confidential tax information and identities—and engineering for intellectual property theft.
- More than 70 percent of the most common BEC subject line families feature the words “Urgent” “Payment” and “Request.” The top seven subject line families include: payment (30 percent), request (21 percent), urgent (21 percent), greeting (12 percent), blank (nine percent), FYI (five percent), and, where are you? (two percent).
BEC attacks are designed to circumvent established business processes. They are especially effective when the processes are inflexible and staff are persuaded to react rather than adapt to the attack. Companies need to think about how they verify all requests for unexpected payments even if that means refusing the payment. This can be hard for many staff and it requires HR departments to help formulate policies that protect staff.
Where a customer appears to change bank there also needs to be a process to validate the information. Simply checking with the new bank is not enough. The criminals are careful enough to make the accounts look legitimate. One solution is to involve sales teams who own the relationship with the customer. They can help formulate questions to be asked that only the real customer would know.
Over the last few years there have been cases of BEC attacks netting large sums of money. In some cases these have led to senior members of staff, including some CEOs losing their jobs. It has also created business threatening situations for some businesses. If companies do not create policies that are part IT and part business then they will continue to fall victim to this type of attack.