Want to get a sense of the carnage being caused by business email compromise (BEC) attacks? Look no further than an October 16 report from the Securities and Exchange Commission on an investigation into nine publicly-traded companies that were swindled out of $100 million through BEC scams.
It isn’t pretty. According to the report, one of these companies made 14 separate wire payments for fake invoices over the course of several weeks—racking up $45 million in losses. Another paid out $30 million.
As for the other seven? Each lost at least $1 million, averaging $3.6 million in damages per company.
Even harder to stomach is that these tallies all stem from the kind of plaintext email messages that employ identity spoofing and social engineering to fool recipients into thinking they’re responding to someone they know and trust.
These businesses are hardly alone. More than 92% of companies report being hit by this type of targeted email attack in just the last 12 months, with 20% suffering direct financial losses.
Here are five reasons these schemes are growing more common—and more effective—by the day.
A big part of these attacks involves making it appear as if emails are coming from a trusted individual. If fraudsters aren’t able to hijack that individual’s email account, they’ll use display name tricks, domain spoofing, or other tactics to make their malicious messages appear legit. Also a big help: your mobile phone.
Today, more than 59% of emails are opened on a mobile device, whether it’s between meetings, out in the field, or while standing in line at the grocery store. According to researchers, email impersonation targeting businesses is much easier to carry out when recipients receive fraudulent messages via a mobile device.
That’s because most mobile email clients display only the sender’s name—not the email address. Recipients pressured to act quickly while out of the office are unlikely to dig further before reacting to messages that appear to be urgent.
Interestingly, none of the nine successful BEC campaigns in the SEC’s investigation involved an account takeover (ATO)-based attack launched from a hijacked email account belonging to a senior executive within one of the targeted organizations.
In cases where a company’s own senior executives were impersonated, fraudsters most often used domain- or display-name spoofing. Only when the attacks purported to originate from outside suppliers did the fraudsters utilize a hacked account. And these days, these kinds of attacks are easier than ever to pull off.
Thanks to a never-ending stream of data breaches, email login credentials belonging to high-value business targets are readily available on the dark web for just a few hundred dollars, greatly reducing the time and effort required to launch an ATO-based BEC scam against a large corporation.
Despite significant resources spent on training, employees are actually getting worse at spotting email attacks.
In a 2017 industry survey, 8% of employees struggled to identify phishing messages. But this year, that number has grown to 14%. Nearly 40% of employees cannot identify a BEC attack, either. And even with the best training, the sheer volume of clever new attacks means training will only get you so far.
According to Dark Reading, a combination of plain text email requests for wire transfers, followed by a phone call, is especially effective. Making matters worse: A study from Lloyds Bank found that 25% of staffers who fell victim to BEC scams admitted to hiding their mistake out of embarrassment—leaving cyberthieves free to continue their con.
Thanks to mistakes made by companies in the way they configure email settings, many are inadvertently making it easier for cybercriminals to collect the information they need to launch attacks.
In one recent study from Digital Shadows, over 12 million email archive files were found exposed online—including 27,000 invoices, 7,000 purchase orders, and 21,000 sets of payment details. With the right knowledge, it’s relatively easy for savvy hackers and networked cybercrime rings to collect everything they need to add BEC to their portfolio of services sold to other thieves.
As a result, even the least tech-savvy scammers can outsource their cons for as little as $150, according to HelpNetSecurity. Many BEC-as-a-Service offerings promise results in as little as one week—which could foreshadow a marked increase in new BEC attacks in coming months.
As the SEC report suggests, many organizations lack proper security controls for verifying wire transfers over a certain amount or set to be sent out of the country. More crucially, most are unable to prevent BEC attacks from reaching employees in the first place.
Traditional secure email gateways (SEGs) and other security solutions are proving unable to detect and disrupt today’s socially-engineered, plain-text email-based attacks. And most systems don’t even monitor email traffic within their own systems.
What’s needed is a protection model that relies less on scrutinizing email content and infrastructure reputation, and more on modern, AI-based solutions that are able to recognize and infer relationships between the sender and receiver in order to spot anomalous behaviors or other signals—device, location, email volume, etc.—that could identify and disrupt the attack.
It’s worth noting that the SEC declined to press charges against any of the nine companies involved with its investigation. But it warns that any public company’s failure to detect or prevent a successful BEC scam could still support charges that it failed to implement sufficient internal accounting controls as required under current regulations.
Still, with $12.5 billion in business losses caused by BEC fraud, and the growth in new attacks up 58% so far this year, businesses already have plenty of incentive to find ways to detect and disrupt attacks—long before the SEC has any reason to come calling.
To learn more about BEC attacks and best practices for defending against them—including modern, AI-based advanced email protection—download a special report from Agari and Osterman Research.