Business Email Compromise Spreads in New Directions 

Cybercriminals are nothing if not flexible. As businesses improve their threat intelligence and security systems, attackers take their exploits to the next level. This is particularly the case with business email compromise (BEC), the category of phishing that targets companies to steal money or information. Bad guys have also been busy adapting their BEC campaigns to exploit the shift to remote work and the emergence of new artificial intelligence (AI) tools. 

In its most recent report, the Anti-Phishing Working Group (APWG) said that phishing and BEC were booming in the third quarter of last year.[1] Almost all of the companies polled in Mimecast’s State of Email Security 2023 report (SOES 2023) said they have had to fend off a growing number of BEC attempts in the past year. But they said the increasing sophistication of these attacks is an even bigger problem than their sheer volume.

As more companies use security systems such as email gateways to filter out malicious mail, this has led scammers to try new ways to hack into corporate networks. These include increasingly sophisticated forms of “smishing,” “vishing,” collaboration platform attacks, social media scams, and fake ads in search results, as described below.

BEC Expands into Vishing and Smishing

Garden-variety BEC scams with malicious links or attachments have spread into smishing and vishing. As their names imply, these use SMS text and voice calls to reach their targets. The scammers often use robodialers and mask their phone numbers, including spoofing familiar numbers or displaying a fake identity in a phone’s caller ID. That way, they can impersonate “cardmember services” or a package delivery service and get callers to click on a malicious link or extract important information. 

Text-based scams have become so prevalent that the Federal Communications Commission (FCC) put out an alert in 2022, warning people to beware of suspect texts. According to the FCC, complaints about smishing shot up from 5,700 in 2019 to 8,500 in just the first half of 2022.[2]

Collaboration Platforms Attacked

Many companies — especially those with large numbers of employees still working remotely — rely on video meetings and collaboration platforms. The ubiquity of these tools has made them a ripe new target for cybercriminals. 

The FBI recently warned about attackers using video conferencing platforms to impersonate company officers.[3] In one example of these exploits, an attacker will send a meeting invitation from a compromised email address, then connect via audio only — or complain about a weak connection to mask their identity — and convince employees to initiate a money transfer to an account controlled by the cyber thief. 

Social Media Scams Diversify

Social media scams continue to evolve, as well. “Angler phishing,” where attackers intercept social media interactions with brands, has been a problem affecting customer service for a while. Now it has expanded to business email compromise. Many organizations have warned recently about BEC using the messaging functions on LinkedIn.[4]

Technological innovation has also given bad actors new tools to create fake profiles that get around protections on sites such as LinkedIn. Using AI and deepfake profile pictures to avoid detection, scammers pose as headhunters or personal finance managers to dupe professionals. 

Fake Ads Invade Search Results

During last year’s holiday season, as many employees were shopping online at work, the FBI was warning about scams that leveraged search advertising.[5] When users searched for a product or service, the ads appearing at the top of their screens were actually driving them to fake websites. There, scammers would draw out passwords to enable future exploits, extract fraudulent payments, or plant malware on the user’s computer that, in turn, could infect their employer’s network.

The FBI’s warning singled out cryptocurrency platforms as the target of one recent spate of attacks, but these brand impersonation incidents are widespread. And they not only harm the users targeted, but also cause untold brand damage to the businesses being spoofed. 

Attackers’ Technology Evolves, Too

The scammers’ tools have evolved, as well. Cyber risk has been front and center in conversations about the surging uptake of generative AI technology, including tools like ChatGPT and Copilot that can accelerate and improve the development of content and code. Over half of IT professionals responding to a recent survey expressed concern about how the tools could help scammers craft more believable phishing emails and predicted related cyberattacks this year.[6]

The FBI has also warned that attackers are evolving beyond conventional techniques like Photoshop to AI, as they create “synthetic content” such as fake profiles for BEC and other attacks.[7] According to the agency, BEC is evolving into “business identity compromise”. Rather than compromise email accounts, attackers now create fake employee identities or take over an actual employee’s identity, not just their email address. “This emerging attack vector will likely have very significant financial and reputational impacts on victim businesses and organizations,” the FBI said.

Anti-Phishing Best Practices

Companies fight BEC on multiple fronts, with innovative technologies and employee awareness training. But it takes more, as Mimecast Chief Technology Officer David Raissipour recently wrote in Forbes. It takes a change in mindset, embracing a team sport philosophy across the company, supported by well-integrated systems. The three tenets of this philosophy are: 

• Empower: Saying that security is a shared responsibility is not enough. Every function in the organization has a role to play, and every group of stakeholders — employees, vendors, and the C-suite — needs to be enabled to do its part. The workforce should be empowered with user awareness training to sharpen their email, password, and security discipline. The C-suite also needs training to develop awareness of the connection between cybersecurity and business risk. Security teams need the latest AI-powered tools to defend more effectively against tech-savvy cyber thieves, by streamlining processes, automating time-consuming tasks, and improving both threat detection and response.
• Simplify: The downside of empowering a security team with new tools is known as “tool sprawl”. The average company can have 60 to 80 such tools in use. This kind of reaction to rising threats may just add to the load on security teams, who are already risking burnout. Each new solution requires deployment, configuration, and maintenance, and each adds complexity to manage, leaving vulnerabilities and gaps in the security mesh open to attack. It falls to security and risk management leaders to prioritize and simplify — sorting out which tools help streamline incident detection and response, which can work with other systems to share real-time visibility and threat intelligence, and which can really secure employees wherever they are working.
• Partner: Third-party integrations can empower and simplify. Fighting off evolving, socially-engineered attacks calls for integrating a suite of security solutions that combine detection, prevention, and response. As Gartner advocates in its “cybersecurity mesh” architecture, integrating best-in-class tools from various vendors can increase the effectiveness and efficiency of security — including those tricky hybrid and cloud environments — while controlling tool sprawl and protecting data across its lifecycle.

The Bottom Line

Cyberattackers are constantly evolving their tactics for business email compromise. They move in to exploit new channels of communications, such as collaboration platforms, and to leverage new technologies such as ChatGPT and deepfakes — often as fast as companies’ security teams can figure out how to stop the last trick they used. Businesses need to pair awareness training at all organizational levels with integrated detection, prevention, and response to effectively defend against emerging threats. Read how, in our CTO’s Forbes article on “Why Combatting Social Engineering Attacks Requires a Team Sport Approach.”

[1] Phishing Activity Trends Report, 3^rd Quarter 2022, Anti-Phishing Working Group 

[2] “FCC Warns Consumers of Rising Threat of Scam Robotexts,” Federal Communications Commission

[3] “Business Email Compromise: Virtual Meeting Platforms,” FBI

[4] “LinkedIn Credential Phishing Attacks,” New Jersey Cybersecurity & Communications Integration Cell

[5] “Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users,” FBI

[6] “ChatGPT May Already Be Used in Nation-State Cyberattacks, Say IT Decision Makers,” Blackberry

[7] “Malicious Actors Almost Certainly Will Leverage Synthetic Content for Cyber and Foreign Influence Operations,” FBI