Ransomware may steal headlines, but BEC is the silent killer

Business Email Compromise (BEC) is one of cybersecurity’s biggest threats.

You might not get that impression from the headlines, which are often full of announcements about ransomware gangs’ demands. But BEC, in which criminals send targeted emails to trick employees into sharing data or making payments, arguably costs the average organisation far more in damage. Here, we explore what BEC is, why it matters and how you can guard against attacks.

Why Business Email Compromise is a serious threat

The biggest threats in cyber are evolving from year to year, with the Australian Cyber Security Centre (ACSC) rating fraud, shopping and online banking as the greatest risks in 2021. Business Email Compromise is not far behind.

While the number of reported attacks in Australia went down slightly in 2021, the average loss per incident rose by 50% year on year to over $50,600, as criminals become more sophisticated and organised. One Australian hedge fund lost $8.7 million after paying false invoices, suffering significant reputational damage and eventually filing for bankruptcy.

Ransomware gets the headlines, but BEC needs your attention

In total, the ACSC received 4,600 reports of BECs in the last year, compared to less than 500 reports of ransomware. Similarly, the FBI’s Internet Crime Complaint Center reported that US companies had suffered losses of $1.8 billion from BEC, but only $29.1 million from ransomware. The big numbers of a few high-profile ransomware cases (not to mention the fact that ransomware’s very name drips Hollywood drama) make its threat seem larger.

None of this means that ransomware isn’t a threat – ransomware poses an increasingly critical risk, and is often under-reported. But smart cyber professionals know that the ransomware headlines should not distract cybersecurity teams from BEC attacks.

How BEC criminals choose their targets

Business Email Compromise is often referred to as a social engineering crime, which means it involves psychological manipulation. Unlike an indiscriminate email scam, in which criminals rely on a high volume of generally unsophisticated emails to hook a few victims, BEC attacks are generally planned and precise.

The scammer will usually make it look like their fake email comes from a trusted person, using a spoofed email address or a compromised account, and then inserting themselves into a conversation. They may pretend to be a partner or employee.

The criminals can take days or weeks finding their targets, researching websites, social media and the dark web to uncover both their recipient’s contact details and other data that may help them present a convincing front. Being able to “follow up” on a real conference a CEO spoke at, or refer to a project that a financial controller has been tracking, will make their deception far more likely to succeed. Executives and accounts staff are particularly appealing targets.

The types of BEC attack – and why they’re so dangerous

While phishing (via email) is the most common approach, smishing (SMS) and vishing (by voice) are also growing into bigger dangers. The attack may take place via just one email or a longer thread. Attack types include:

1. CEO impersonation: a fake CEO requests funds be transferred to the criminals’ account
2. Lawyer impersonation: an urgent legal request is sent to an employee
3. Data theft: cyberattackers, often impersonating HR, request personal details that can be used in a later attack
4. Employee or partner compromise: criminals pose as employees to request payments from third parties, or pretend to be partners to extract cash from your organisation

BEC attacks may use familiar contacts to gain victims’ trust, or piggyback on existing workflows to encourage staff to act on autopilot. Carefully worded messages and attachments encourage a sense of urgency via words like “overdue” or “immediate action”. Emails may seek to duplicate company phrasing, or to pull in the target with an innocent, business-as-usual question before hitting them with a fraudulent request.

Fake invoices or Google forms, requests for password resets or links to spoofed login pages are all ways in which communication is escalated into fraud. Once payment is made, the money is rapidly spread across multiple accounts to reduce the chances of your company tracking the paper trail.

You need both technology and training to combat BEC

There’s no single solution to Business Email Compromise, because it’s essentially a human-to-human con game. To combat the threat, you’ll need to use technology that can limit the technical risks, and training to help employees recognise fraudulent emails. Both the ACSC and New Zealand’s NCSC offer guidance.

These key approaches can help keep your organisation safe:

1. Use Multi-Factor Authentication (MFA) to make it harder for attackers to compromise email accounts
2. Protect critical data with network segmentation or zero-trust policies
3. Bolster firewalls and existing email security by ensuring they are configured to offer maximum protection, and consider adding purpose-built layers of protection
4. Pay particular attention to temporary and remote workers, who may be less aware of security protocols
5. Use tools such as DMARC to reduce the threat of email spoofing
6. Encourage staff to look out for and report suspicious emails

Frequent, targeted and engaging employee training will yield far better results than templated surveys or bland company-wide videos. Employees should be encouraged to:

1. Be sceptical of unusual requests, especially those that demand an urgent response
2. Think carefully about the message and the sender – either may be fraudulent
3. Question requests that stress the need for confidentiality or bypass usual channels
4. Listen to their instincts – if in doubt, staff should check directly with a colleague, or send a new, separate email to the sender to confirm, rather than simply replying to the message thread

How to beat BEC

It's easy to get caught up in the drama of ransomware threats, but CISOs should not neglect other, more mundane security risks. It's the threats you can’t see coming which are usually the most dangerous, and BEC attacks are especially deadly because they look like typical business comms. The use of spoof email addresses and socially engineered messages can easily sucker unwary staff, resulting in theft, data loss and reputational damage.

To manage the risk of BEC, an approach that combines technological solutions and employee training is required. If your organisation can effectively manage both, then those fraudulent emails can be quickly flagged, reported and left in the trash where they belong.