Business Email Compromise Attacks Spike 269%

Posted by Geraldine Hunt on Mon, Aug 1st, 2022

The year of 2019 saw a dramatic rise in business email compromise attacks.  According to an email security risk assessment report in 2019, BEC attacks ramped up 269 percent on a quarterly basis. However, an update from The Osterman Research, reports BEC attacks are among the fastest growing in 2022.  

The report was based on more than 260 million emails involving nearly 500,000 users and showed that email threats of all types are on the rise.  Of the studied allotment, 28.8 million were spam, 28,808 contained malware attachments and another 28,726 contained dangerous file types.  More than 60,000 messages contained BEC or impersonation frauds. 

BEC Attacks Pay Make Scammers Significant Amounts

The report findings are in line with FBI statistics.  According to the FBI’s Internet Crime Complaint Center, estimated global losses from BEC attacks have exceeded $26 billion in the past three years.  In fact, losses doubled between May 2018 and July 2019.  The reason for the dramatic growth is simple; it pays better than most crimes.  According to the FBI, the average loss experienced in a bank robbery is around $3,000 while the average loss for a successful BEC attack is nearly $130,000.  The U.S. Treasury Department estimates BEC monthly losses at $300 million. 

BEC Attacks are Well Planned

BEC attacks are about convincing users within an organization to respond to wire transfer requests and other types of social media scams.  Unlike traditional phishing campaigns that are deployed using as wide a net as possible to snare careless users, BEC attacks specifically identified users.  These are typically high-level executives or managers in the HR or finance departments.  These email addresses are either spoofed or compromised through phishing attacks or trojan deployed keyloggers.  These attacks are carried out with great patience and attention to detail.  Once an email account is compromised, attackers will spend weeks, if not months, observing and researching the communicative culture of the organization in order to successfully mimic a real transaction request. 

VEC Attacks

There are a number of different types of BEC attacks.  One of the most popular recently is the vendor email compromise (VEC) attack.  The VEC attack has a little different spin in that the attackers first attempt to gain access to the email of someone in the finance department.  This is usually done through a OneDrive or Docu-Sign-spoofed phishing attack, which captures the victim’s credentials.  With the credentials in hand, the hackers set up forwarding rules for the compromised account to an inbox they control.  They then collect emails for a set period in order to learn what vendors the company uses.  Once the perpetrators have enough intelligence, they then issue fake invoices to targeted vendors that the company regularly uses.  The selected vendors are usually small companies.  Because fake invoices are coming from large companies, smaller companies are usually less inclined to question them or risk losing the business.  They also may lack cyber hygiene skills and training to discern the illegitimacy of the request.

Traditional BEC attacks are designed to snag one giant payoff, such as convincing the CFO to issue a single wire transfer of a very large sum to a designated account.  VEC attacks, on the other hand, continue for weeks and months, siphoning small continual strikes against non-suspecting vendors.  One of the most active perpetrators of these types of attacks is a West African cybergang who has successfully infiltrated more than 500 companies in 14 countries over the past year.

HR Payroll Attacks

Another type of BEC attack identified by the FBI involves HR departments.  The most popular HR scam currently involves payroll diversions, which have increased by 815 percent over the past year.  For these attacks, hackers use spoofed log-in pages to lure employees to input their email credentials.  Once the credentials are captured, the hackers then use the compromised accounts to change their direct deposit transactions.  Assuming that an HR employee accommodates the request, the victims pay is then directed to the account of a prepaid card which is then quickly cashed out by the attacker.  According to the FBI, the average reported payroll diversion attack resulted in a loss of $7,904 during the first half of 2019.  Total losses over that time were $8.3 million. 

How to Protect yourself from these attacks

BEC attacks are highly complex and complicated, thus there is no one sure way to eradicate them.  One of the most effective ways to start is with a modern, robust email security solution such as SpamTitan.  SpamTitan utilizes an array of tools such as antivirus scanning, heuristic analysis, DMARC authentication and sandboxing.  Few vendors offer all of these solutions in one package.  Multifactorial authentication is also an important tool to add to any multilayered security strategy.  Requiring a second authentication method makes it far more difficult for cybercriminals to capture user credentials.  Password protection by itself is no longer enough.  Other tools such as a sophisticated web filter help block user access to phony portals.  The expanding nature of cyberattacks today requires an expanding array of security tools.  We hope you will consider TitanHQ solutions as part of your cybersecurity strategy for 2020.