You are currently viewing Business Email Compromise, a rapidly growing threat
Helen Thomas

Business Email Compromise, a rapidly growing threat

Business Email Compromise (BEC) attacks are on the rise. Cybercriminals falsify invoice payment details and use social engineering to trick individuals and employees to divulge sensitive information. They target individuals who are in charge of fund transfers and manipulate them to divert money directly to cryptocurrency platforms or third-party payment processors where funds are quickly dispersed.

According to the FBI Internet Crime Report, the Internet Crime Complaint Center (IC3) received 21,489 BEC complaints with adjusted losses of over 2.9 billion dollars.

How it works

It can start with reconnaissance of the company and employees on social media, to select people to target. If enough information is not available, scammers can also trick low level employees or receptionists to give out information on who is in charge of accounting.

In a BEC attack, threat actors can log into a target’s account with stolen credentials and hijack an email very rapidly. The access to a victim’s email account is usually obtained through purchase of credentials from the dark web, social engineering and phishing.  Once inside the account, attackers look for good email threads to hijack, trick someone in the finance department and steal money by impersonating a senior executive. They may register a domain name very similar to the target’s account so the mispronunciation is more likely to be overlooked. Victims are less likely to question the legitimacy of a wire transfer if a request is a continuation of an existing email thread. Once the transfer is made, the malicious email is usually deleted to reduce detection.

The BEC attack can also start with an email to the victim with a fake Microsoft 365 login page, once the password is entered, the multi-factor authentication (MFA) is bypassed by prompting the victim to submit the MFA code on the fake page. That code is forwarded to a Telegram channel to be used for accessing the account.

Red flags of BEC

Threat actors are getting more sophisticated in their attacks. The following are some of the basic signs of fraudulent emails attempting to compromise you and your organization:

  • Incorrect URL – misspelling of the domain name- spoofed address
  • Messages from personal mailboxes
  • Lack of contact information or generic titles that are too broad.
  • Poor grammar or misspelling
  • Sense of urgency
  • Suspicious attachments

How to protect against BEC

User awareness and training is the first step in protecting against most types of scams including BEC. Train employees to pause before helping and take time to recognize the red flags. Emphasize the importance of examining the sender’s email address and URL for any misspelling.  They should not click on any unsolicited email or text message. Instruct users to do their due diligence to find out if the originator of the email is legitimate, specifically if it comes from leadership.

All fund transfer changes should be verified with a separate form of verification. Verify payments and purchase requests via direct phone calls to a known verified number. Never call any phone numbers included in the email requesting transfer. Directly communicate with the requesting party via phone for any wire transfer or any change in address or account numbers. Be aware that in a BEC compromise, scammers are patient; they monitor communications and respond to an email in a thread at the right moment to divert money to their own account

Train users to avoid using the same credentials on multiple accounts. Block the use of compromised passwords in Active Directory. Enforce strong password policy and use of multi-factor authentication as an additional security layer.

https://www.ic3.gov/media/PDF/AnnualReport/2023_IC3Report.pdf

Notable Cyber Byte:

DocuSign phishing scams are on the rise and fake templates are being sold on the dark web for as little as US $10.  These malicious emails prompt victims for their DocuSign credentials, so cybercriminals can steal Personally Identifiable Information (PII), probe DocuSign histories for other sensitive information and sell them to other cybercriminals. It can lead to blackmail, extortion and Business Email Compromise (BEC). Scammers can wait for the opportune time a company pays its vendors and, impersonate a vendor’s finance department’s point of contact to divert funds.

To protect yourself and your organization pay attention to some clues, such as unsolicited requests, sender’s email address or small name variations. Be aware that the entire body of the email could be a clickable JPG or PNG image that can be linked to a malicious site. If you determined that an email is not legitimate, report it as phishing to your email provider, block the sender and delete the email from your inbox and your trash so it is not accidentally clicked.

https://www.darkreading.com/threat-intelligence/scammers-fake-docusign-templates-blackmail-steal-companies?&web_view=true

https://www.noctechnology.com/phishing-report-docusign-scam