The state of BEC in 2021 (and beyond)
Ransomware has made major cybersecurity story headlines in the past 12 months. Therefore, a lot of focus and corporate resources are spent on mitigating the risk of ransomware. And rightly so. But another threat that has been around for a long time is just as damaging to a business: this is the specter of Business Email Compromise or BEC.
The impact of BEC
Ransomware makes headlines because of the acute impact on an infected business and the often massive ransom demands. The biggest ransom in 2021 was the $50 million demand from the ransomware attack on Acer. By comparison, BEC is seemingly less impactful with losses in the region of hundreds of thousands rather than millions of dollars. However, exceptions to this are common, with one company filing a complaint with the Internet Crime Complaint Center (IC3) when they realized they had sent a wire transfer for $60 million to a fraudster: the money was subsequently traced and returned by the IC3 Recovery Asset Team (RAT).
The 2020 FBI Internet Crime Complaint Center (IC3) report found that the numbers of BEC crimes (19,369) were around four times the numbers of reported ransomware attacks (2,474).
The amounts involved in the crime were also notable. BEC losses amounted to around $1.8 billion, whereas ransomware costs were $29.1 million. Even adjusting for the number of attacks of each type of cybercrime, ransomware was still, overall, less costly than Business Email Compromise.
Business Email Compromise (BEC) and its cousin Email Account Compromise (EAC) are complicated crimes that involve several key components to make an attack successful. BEC/EAC fraudsters want your company’s money. To get at that money they target a business and use intelligence and reconnaissance tactics to understand how it operates.
The key to understanding BEC/EAC is that these crimes are people-centric and rely on compromising email accounts to initiate the money transfer. Like the “sting” of old confidence tricks, BEC/EAC is about people tricking people.
The BEC fraudsters use some traditional cybercriminal techniques such as phishing, social engineering and credential stuffing. These techniques are part of the overall cyberattack chain used to collect identity details and trick an employee into transferring money to a fraudster’s bank account.
The recent trends in BEC/EAC show that fraudsters are changing tactics. Whereas they may have spoofed C-Level email accounts in the past, they have expanded their net to include spoofed victims across the business ecosystem.
Trends in BEC fraud
Typical elements of a BEC crime are subject to change when the fraudsters behind a BEC attack see fit. Cybercriminals keep watch of technology and market changes and use these to adjust tactics. Trends in recent years have seen BEC fraudsters extend their email compromise to include the vendor ecosystem of a target business and use stolen W-2 information to build attack intelligence. Any system that offers the fraudster data intelligence to feed back into an attack chain is at risk of compromise/theft.
Some of the latest trends discussed by IC3 in their 2020 report show this ‘track and change’ mode of operation:
Changes that impact businesses such as remote work and market themes
A report from Mimecast found that BEC crime increased by one-third in the first 100 days of the pandemic. BEC fraudsters take note of market trends and drivers. During COVID-19, for example, they used pandemic themes to create phishing templates. The COVID-19 pandemic has shifted the workplace from always in the office to sometimes at home. At home, working has meant that email communications have become more important than ever. Staff is no longer in the same office, never mind the same room. It becomes easier for cybercriminals to rely on mistakes being made and fewer cross-checks available.
As companies continue to accept home working as the new normal, BEC tactics must become part of an ongoing security awareness discussion with employees. In addition, policies and processes need to take BEC into account with remote working practices reflecting the risk level of BEC to given employees and departments (such as payments).
Mosaic cybercrime tactics
A mix and match approach to committing wire fraud (BEC/EAC) has been identified by IC3 as a new BEC tactic. Other frauds, such as identity theft and romance scams, deliver the data intelligence needed to propagate a BEC scam. One such scam was observed to use stolen identity information; identity data was used to create a bank account to move the funds from an illegitimate wire transfer before being transferred into a cryptocurrency account.
Identity theft is a long-reaching cybercrime. For example, if identity data is verifiable, it can be used to open bank accounts. This offers the fraudster a powerful way to commit crimes that are difficult to detect because of the assurance of the underlying identity. Identity systems need to recognize this use of verified identity data and counter-fraud checks during transactions. The banking system, Know Your Customer, and due diligence (KYC/CDD) processes must also be hardened against identity misuse.
Cryptocurrency provides a mechanism to hide stolen funds, making it hard to trace and recover those monies. In April 2021, the FBI’s IC3 issued a warning of the increasing use of cryptocurrency accounts in BEC fraud. The agency identified two main types of transfer, “Direct” and “Second Hop.”
This method depends on the fact that Cryptocurrency Exchanges (CEs) hold accounts with traditional financial institutions (FIs) to facilitate trading/exchanging on behalf of customers. The victim is scammed in the traditional way using a spoofed or compromised email. The money is transferred and then moved into a cryptocurrency wallet.
This scam relies on the use of identifying documents stolen via romance scams, extortion etc. These scams result in the fraudster having access to identity documents such as a passport, driver’s license etc. These documents are then used to set up custodial bank accounts to receive BEC funds transferred to a CE.
The IC3 presents several mitigating measures to use to protect against a BEC scam. These include using robust authentication when account changes are made and hypervigilant on security awareness and phishing tricks.
Deep fakes and AI
An alleged case of deep fake technology in a BEC scam was already noted in 2019. The case involved a CEO being tricked into transferring $240,000 because he heard what he thought was his parent company boss but was a fake voice. It is only a matter of time before deep-faked identity is regularly used to trick employees and individuals into transferring money or circumvent a bank KYC/CDD processes to create bank accounts for fraudulent transfers. Researchers have already created “master faces” to bypass facial recognition. Researchers state that they can use the technology to impersonate around 40% of the population. And this technology is predicted to be extensible to circumvent the liveness tests used as the industry standard to prevent fraud.
Deep fakes and AI technologies are proving to be a hard security nut to crack. While work is being carried out to improve detection, it may well come down to vigilant business processes and checks to prevent an AI-enabled BEC scam.
Breaking the trust in money flows
BEC fraudsters break the trust in the money flow chain of a business. Fraudsters will use any tactic that fits the bill and apply a mix and match approach to BEC fraud. Cyber fraudsters will watch and learn as the market and business evolve. They will use emerging technologies to perform the basic acts needed to trick employees and individuals. The use of artificial intelligence in the form of deep fakes to commit BEC fraud is not a case of if the technology is used, but when. As potential victims of BEC crime, businesses need to keep vigilant and understand the types of existing and emerging tricks used by fraudsters. This intelligence will help your organization build processes and structures to help employees spot a potential fraud before any money is moved.
- Infosec, Cybersecurity Weekly: Acer hacked, Exchange targeted, Zoom bugs
- FBI, Internet Crime Complaint Center 2020 Report
- Mimecast, 100 days of coronavirus
- FBI, Rise In Use of Cryptocurrency In Business Email Compromise Schemes
- Vice, Researchers Create ‘Master Faces’ to Bypass Facial Recognition
- Infosec, Low-tech social engineering attacks