BEC scams: A growing threat evolving in complexity and cost

Dubbed by the FBI’s IC3 as a “$43 Billion Scam”, BEC, or Business Email Compromise, is a technically simple yet financially lucrative cyber scam. As BECs rise in popularity, their sophistication grows, making it even more critical for potential victims to be prepared, training employees and hardening money transfer procedures.

A BEC attack traditionally involves an attacker using email, either compromised through a phishing attack or spoofed using security breaches, to impersonate a person or entity, sending a seemingly legitimate request conning the victim into transferring money to the attacker’s account. This may seem too simple to work on most people, but even tech-savvy companies get duped. For example, in 2019 a hacker used a BEC attack to divert into their account a $1 million transfer from a Chinese VC firm, originally intended for an Israeli startup’s Seed funding round. A fraudster was able to steal $100 million from Google and Facebook, posing as one of their suppliers in a series of BEC attacks spanning two years, ‘13-’15.

Hacker.

BEC is a big business. In the 2022 crime report, the FBI said its Internet Crime Complaint Center (IC3) received some 22 thousand BEC complaints responsible for adjusted losses of over $2.7 billion. Secureworks’ 2022 Year in Review report asserted that “BEC poses the largest monetary threat to organizations,” reporting more than doubling in BEC incidents between ‘21-’22. The recent collapse of SVB and other banks presented attackers with a useful scenario of claiming the supplier’s account had to move to a new bank, and giving details of the new account, which is actually the attacker’s.

Simple BEC attacks still work, insofar as some scammers use them in a CaaS (Cybercrime-as-a-Service) model. Nevertheless, some attackers are stepping up their game. IC3 reported that BEC attackers are increasingly spoofing business phone numbers to confirm transactions, and targeting investment accounts rather than traditional banking accounts. Microsoft in a recent BEC report observed improved tactics, such as purchasing residential internet protocol (IP) addresses matching the victim’s location to circumvent geographical detection tools, and using public-blockchain decentralized hosting for phishing and BEC sites.

Preparing for BEC

Employee training: Educate your employees about BEC attacks, focusing on how to identify suspicious requests. For example, urgent or unexpected requests for financial transactions, or from senior executives not usually directly involved in such transactions. Initiate simulated BEC attacks to find weak points and employees, and use them as a teachable experience.

Email protection: Use a secure, end-to-end encrypted, MFA enabled email service. Implement robust email filtering systems to detect and block potential attacks. Keep your email servers, operating systems, and applications up to date with the latest security patches. Vulnerabilities in software can be exploited by attackers, so prompt updates are essential. Conduct periodic security audits and penetration testing to identify vulnerabilities in your organization's email infrastructure and systems.

Identification: Require digital signatures for all correspondence regarding payments or bank account detail changes.

Out of band verification: Establish a standard verification process for financial requests received via email, such as confirming requests through another communication channel or contacting the person directly. Always verify unusual or high-risk requests.

Procedures: Establish strict procedures for payments and money transfers. Notify your suppliers and bank.

Alerts: Set alerts for suspicious transactions, such as new or unfamiliar recipients, changed bank account details, abnormal or inflated sums, unusually high volumes, etc.

Response plan: Develop an incident response plan specific to BEC attacks. Outline the steps to take if an attack occurs, including reporting the incident, voiding the transaction if possible, isolating affected systems, and communicating with stakeholders.

Nimrod Kozlovski.

Response to BEC

Notify: Alert the relevant parties within the company, starting with management, finance, and IT. Make sure they alert you to any new suspicious activity.

Mitigate: Commence initial emergency steps to prevent further fund stealing. If necessary, revoke money transfer privileges. Harden payment controls, like mandating upcoming transactions go manually through the CFO or their confidant.

Email cleanup: Reset email passwords and mandate MFA. Check and delete email rules and filters that may have been created and used by the hacker, and set alerts for any new rules and filters going forward, possibly blocking them or requiring them to be approved by a manager.

Investigate: Commence a digital forensic investigation to determine whether the attack has indeed occurred, and that it wasn’t an employee mistake or malice. Assess the scope and spread of the incident inside the organization, documenting the entire process and evidence. Review activity logs, search emails for suspicious activity, interview employees - especially those with admin or fund privileges, about other suspicious activities, and analyze any changes of rules and configuration in the email systems.

Hacker behavior: Find the attack surface and vector - employee, contractor, security breach, malware, etc. Identify when the attacker entered the email system, how they entered, and what they have been doing inside, to determine whether they compromised just this account, several accounts, or the entire email system.

Supplier data: Ask supplier for the original email, to see what the bank account details are, and then to see whether that bank account information appears anywhere else in the email system as a way to measure attack scope.

Bank involvement: Inform the bank that cleared the transaction, and other relevant payment service providers, about the attack and the changes to your payment procedures. Determine the likelihood of repeating BEC attacks and take steps to mitigate likelihood by contacting payment partners and banks that clear transactions. Ask the bank to harden payment controls.

Assess financial damages: Determine the extent of the financial impact resulting directly and indirectly from the BEC attack. Coordinate with your finance department and consider involving law enforcement, your bank, and your insurance company as necessary.

Dr. Nimrod Kozlovski is Partner & Co-Founder, Cytactic