Understanding BEC Scams: Supplier Invoicing Fraud
Emile Abou Saleh, Regional Director, Middle East and Africa at Proofpoint, says as cybercriminals continue to capitalise on the human factor, it is paramount to understand how BEC Scams work and how to prevent it.
Business Email Compromise (BEC) and Email Account Compromise (EAC) afflict businesses of all sizes across every industry. More money is lost to this type of attack than any other cybercriminal activity.
The FBI reported that from June 2016 to June 2019, companies reported $26.2B in losses. And in 2019 alone, BEC scams accounted for more than half of all cybercrime losses—an estimated $1.77B. The average loss per BEC incident in 2019 was $74,723. Additionally, latest UAE CISO Report from Proofpoint shows that 80% of CSOs and CISOs in the UAE suffered at least one cyberattack in 2019, with over half citing multiple incidents. People-centric attacks top the list and among them 15% were originated by BEC attacks. As cybercriminals continue to capitalise on the human factor, it is paramount to understand how this type of attack works and how to prevent it.
What Is BEC Supplier Invoicing Fraud
BEC supplier invoicing scams are sophisticated and complex schemes to steal money by either presenting a fraudulent invoice as legitimate or by re-routing the payment to a bank account controlled by the attacker. These scams are often the costliest for victim organisations.
BEC supplier invoicing fraud can be so successful that even prominent, well-known individuals can fall for them.
Similar to gift card scams and payroll diversion scams, supplier invoicing scams rely on social engineering and impersonation to convince the target victim to send money to the attackers. But what sets BEC supplier invoicing scams apart is not just the large dollar amounts often associated with these scams, but also the complex nature of these scams.
While gift card scams are relatively simple, using maybe one email targeting one employee, supplier invoicing scams are more byzantine involving compromise and impersonation of trusted vendors and carried out in multiple stages against multiple individuals and organisations. The impersonation can either be at an account level or at the domain level (e.g. domain lookalikes).
How BEC Supplier Fraud Works
Many of the BEC supplier invoicing attacks Proofpoint has observed indicate that these attacks originate from a legitimate email account that has been compromised. These compromised accounts are highly prized by threat actors. They can conduct extensive reconnaissance and fraudulent emails sent from the compromised account will pass email authentication controls (e.g. DKIM, SPF, DMARC) because they are sent from a legitimate account.
Once a legitimate transaction is identified, the threat actor “thread hijacks” an already in-progress email conversation about the transaction. Since the attacker’s message is part of an email thread that the target victim reasonably believes to be legitimate, their message has greater credibility. As such requests for bank account changes due to audit or COVID-19 seem more plausible. This believability and trust are key elements of social engineering. By their very nature, thread hijacking attacks are very difficult, if not impossible for users to identify, making this a threat vector where technology countermeasures are particularly needed and useful.
At this stage of the attack, the threat actor pivots to a supplier account impersonation tactic where the attacker inserts an impersonated account in the “reply-to” or “cc” of the email conversation, which can be a lookalike of the supplier domain.
The impersonation pivot allows the threat actor to maintain the email conversation with the target when the compromised account is remediated. In many cases, the email thread continues via the impersonated account. Shifting the conversation to the impersonated account also makes it more difficult for forensics and investigations because you lose the logs in the supplier SEG.
Additionally, using both authority and urgency are other common social engineering tactics in BEC attacks. Also notable is that the fraudulent emails are devoid of any malware payload such as an attachment or URL. There are no links or attachments for the victims to click.
It is clear that attackers weave together identity deception, authority, and urgency while using tactics like account compromise and impersonation that pivot all to make a fraudulent bank account change request seem legitimate so that the target will pay the invoices to the threat actor’s bank account.
Are You Protected?
BEC supplier invoicing scams are not sophisticated in their goals or even their tactics. The goal is simple: convince a target victim a fraudulent invoice is legitimate, so they’ll pay it. The tactics primarily focus on spoofing and account compromise: tactics that are not technically sophisticated.
However, BEC supplier invoicing fraud weaves these tactics together in creative ways which is why BEC supplier invoicing scams continue to be successful. The end result of these tactics is a multi-layered fraud that is reasonably, highly credible.
One of the most important things CISOs can do to help protect against BEC is to understand how prepared your organisation is to combat them. As BEC supplier invoicing fraud relies on social engineering to trick end users, it’s critical to continuously train employees about these types of scams, enabling them to report messages as suspicious and automate their investigation and remediation.