The anatomy of a $26bn cyber threat

It’s been a long time since a threat has focused the attention of cybersecurity professionals quite like Business Email Compromise (BEC).

Amid the serious risks BEC attacks represent to organizations, there has been a significant increase in cybersecurity efforts. BEC is so potentially damaging that the FBI issued a Public Service Announcement in September 2019 warning of the threat and estimating that it has cost global businesses around $26bn since 2016.

According to a Mordor Intelligence report, in the Middle East and Africa region, the cybersecurity market is expected to grow approximately by $7 billion reaching $12.54 billion by 2023. What makes the rise of BEC so concerning is not necessarily its increasing prevalence, but its worryingly high success rate and the fact that despite its high profile, organisations are still struggling to defend against it.

The anatomy of a BEC attack
To understand the continued success of BEC, we must first understand the mechanics of an attack.

BEC takes place when an attacker poses as a trusted individual within an organisation to reroute funds or access privileged data. This occurs either by spoofing a company domain or commandeering a legitimate email account.

BEC attacks are usually highly targeted, aimed at specific decision-makers or those in authority. Anyone authorised to complete financial transactions during the normal course of business is potentially a target.

There are usually four stages to a sophisticated BEC attack:

• The research: Unlike mass, blanket attacks, BEC attackers usually take the time to identify specific individuals within an organisation. Information is gathered from a range of sources to create believable communications once the account is compromised.
• The groundwork: BEC attackers often attempt to build relationships with those who have financial decision-making authority. Usually through spoofed or compromised email accounts, this interaction can take place over days, or even weeks or months to build trust and familiarity.
• The trap: Once the attacker has compromised an account, or accounts, and is satisfied that the victim believes them to be genuine, they make their move. In most cases, the target is asked to initiate a wire transfer or alter payment details on an existing pending payment.
• The fraud: Believing the request to be genuine, the victim sends funds to the fraudster’s account. These are usually moved on quickly, making them harder to recover once the fraud has been discovered.

As scams often take the form of an everyday request, such as changing payment details, and seemingly come from legitimate senders, they are incredibly difficult to defend against.

What’s more, unlike other popular threat vectors, BEC carries no payload. No phishing link or malware-packed attachment – nothing that is likely to set off alarm bells.

The attacks also target people, not networks, and play into simple human psychology. Lower level employees, who are usually the target of fraudulent requests, are less inclined to question the authority of CEO, CFO or similar. BEC attackers rely on this natural human instinct to defer to those in authority.

Finally, once an account compromise has taken place, an attacker is inside the defences of your organisation. With no questionable attachments or bogus links to raise the alarm, fraudulent requests can sail through even the most robust email security and into the inbox of an unwitting victim.

BEC is an attack on a human target and therefore requires a human defence. The only way to successfully fend off such an attack is to ensure everyone in your organisation knows exactly how to spot one.

Of course, this is not always easy. The first step is to train employees to be on the lookout for changes in the behaviour of suppliers, CxOs, HR, accounts departments and the like. Any out of the ordinary requests or amendments should also be heavily scrutinised.

All employees at all levels should also be practising basic security hygiene – using strong, unique passwords for all accounts, not just those connected to work, and making use of two-factor authentication where possible.

Unfortunately, due to the nature of BEC attacks, all the training and protections in the world are unlikely to keep out 100% of attempts. The fact remains that even with these defences in place, many BEC attacks continue to slip through the net – because an effective attack is often indistinguishable from a genuine email request.

There is a simple additional step, however, that can go a long way to ensuring a successful attempt doesn’t become a successful attack. All that’s required is a change in organisational policy.

All organisations should consider introducing verification systems for certain requests, such as changes to payment details, or new requests made via email for payments of any sort. Quite simply, if there is a financial consequence to any action, it should not be actioned via email.

Requests of this nature should be verified independently, away from your company’s email system via a known and recognised telephone number.

This simple step can undo weeks if not months of hard work for an attacker and keep your funds out of their hands.

Ultimately, BEC works because it is low profile and unassuming. So rather than trying to spot a smoking gun, train your employees to be vigilant around all forms of email communication.

Additional verification may add a few minutes of inconvenience when actioning a genuine request, but that’s nothing compared to the pain of a successful BEC attack.