Business Email Compromise, or BEC, is a type of impersonation fraud in which cybercriminals obtain access to a corporate email account and then attempt to defraud the company or its employees by impersonating authority figures like executives. The attackers manipulate targets to trick employees of the firm into transferring money into their bank accounts or turning over confidential data. According to researchers at Abnormal Security, there has been a steady increase in the size and frequency of BEC attacks. An average 173% week-over-week increase in COVID-19 related BEC attacks was recorded in the first quarter of 2020.
Recent trends show that the strategy employed by cybercriminals in performing BEC attacks is changing. Historically, the prime target of BEC attacks has been C-level executives with the attackers looking to exploit the very busy schedule of these executives. However, the report from Abnormal Security reveals that attacks targeted at high-empowered executives decreased by 37% in the first quarter of 2020. Cybercriminals are now targeting employees in finance roles with an 87% increase observed per week during the quarter. This indicates a move away from engagement and paycheck fraud and toward payment fraud, particularly invoice fraud attacks with attackers posing as vendors, suppliers, or customers attempting to re-direct payments.
Also, cybercriminals have shifted the scope of their targets from individuals to groups. Campaigns targeting at least 10 recipients have increased by 27% compared with the fourth quarter of 2019. This shift has been prompted by the likelihood of an attacker getting a response from one individual which would help in gaining validity and increasing the chances of engagement with other targets. In other cases, the attackers had found it viable to leverage the same attack across a variety of targets.
BEC attacks represent a relatively small portion of the total volume of email attacks as they are typically targeted and incorporate heavy elements of social engineering. However, they disproportionately represent the greatest financial risk of all email attacks. The FBI states that losses as a result of BEC attacks account for more than 50% of all cybercrime-related financial losses in 2019. Given the success of BEC attacks, cybercriminals will continue to perform with the evolution of these attacks to make them even more valuable and damaging very likely.
To reduce the chances of being a victim of BEC attacks, Mitiget advises that personally identifiable information like schools attended, links to family members, and birthdays, can be used to guess passwords or answers to security questions should not be shared online or on social media. All incoming business communications must be scrutinized with even more caution applied to unsolicited emails or text messages requesting for information or prompting for account information update or verification. Email attachments from unverified sources should never be opened. Where payment and purchase requests are made, efforts should be made to confirm transaction details with the requester in person if possible or by a phone call to make sure the request is legitimate.