Business email compromise (BEC) fraud is a lucrative venture, and now that industry is expanding in a troubling way—by lowering the barrier to entry so that anyone with a couple hundred bucks can outsource a BEC attack. BEC criminals are organized, behaving in many ways like legitimate businesses. And just like any successful company in a growing industry, these criminals are looking to add another revenue stream to their business model: BEC-as-a-Service. These bad actors make it easy for their customers to impersonate CFOs and other executives to request urgent wire transfers, payment of fake invoices, and other actions designed to divert their targets’ money into their hands.
This is bad news in an environment where BEC attacks already cost organizations billions of dollars. Businesses worldwide have lost more than $12.5 billion to BEC scams since 2013, and the rate of BEC-related losses rose by 136% from December 2016 through May 2018. Most security experts expect the rate of BEC attacks to keep rising throughout 2019, especially now that even people who can’t orchestrate their own frauds can order a BEC for hire.
There are several factors that make BEC the scam of choice for many fraud rings—mostly related to the fact that there is an abundance of cheap or free data available to would-be scammers. Criminal organizations like London Blue have discovered they can save time collecting data on CFO targets by buying huge lists from legitimate lead-generation companies that serve marketers. Gangs that have the resources to buy large quantities of validated data can bypass the research stage and go straight to sending fraudulent emails.
For would-be BEC attackers with smaller budgets, there are plenty of stolen email addresses and passwords for sale on the dark web. The never-ending stream of data breaches feeds into this pool of stolen data, with 4.5 billion compromised records in the first half of 2018 alone. Weak email passwords and lax email archive security are part of the problem, too.
Due in part to bad email storage practices, many attackers have no trouble getting their hands on credentials for free. Digital Shadows recently found more than 12.5 million email archives with financial and other sensitive data that were visible to anyone who cared to look, since they were backed up on publicly accessible platforms.
For would-be criminals who don’t have the big money to buy a marketing list or the tech know-how to harvest their own target data for free, the dark web is home to criminals who are happy to do the heavy lifting, compromising email accounts for fees as low as $150 or a percentage of the fraud’s proceeds. The service providers make money, their clients get a passive stream of fraudulent income, and businesses, charities, and government agencies continue to get ripped off.
Collecting the data, or hiring someone else to collect it, is easy. So it’s sobering to realize that that’s the hardest part of the BEC process. The most common defenses against BEC aren’t anything you’d want to stake the bank—organizations are often safeguarded only by outdated security technology and the ability for employees under pressure to accurately spot scams.
Once a business email compromise email is sent, it is up to traditional Secure Email Gateway (SEG) technology to stop the attack. Unfortunately, SEGs look for suspicious links and attachments, not identity-deception attempts. Without a malicious payload to trigger SEC screening parameters, BEC emails typically sail right through to land in their targets’ inboxes.
That leaves your organization’s people as the last line of defense. And BEC scammers have a way around those defenses, as well—exploiting the way people use their mobile phones. Most emails are opened on smartphones now, where users can see the sender’s name but not the address the message came from, which is often the only thing that can give away a scam attempt. Combine limited information about the sender, an assumption that the message comes from someone they trust (or report to), and a time-sensitive request to wire funds or pay an invoice, and it’s easy enough to get some recipients to follow those sketchy instructions.
For every factor that makes BEC attacks so easy, there’s a way to make your organization safer—except maybe one. Human nature is not likely to change much, at least not on a timescale that’s going to protect your business. Company-wide security training can help, but people (even security experts) will always be prone to errors in judgment, especially when they’re under stress, in a hurry, and checking their email on their mobile phones.
One way to keep BEC scammers from walking off with your company’s data (or downloading it from the dark web) is to make it more secure. Now is the time to audit, and perhaps overhaul, your organization’s email archiving practices to ensure that your sensitive messages aren’t visible to the public. Considering how many compromised business email/password combinations are already available for purchase, this is also a good time to require stronger passwords and more frequent password changes for your employees’ email accounts.
Those changes can reduce your risk of BEC and other types of advanced email attacks over the long term. But in order to be truly effective, organizations need to block the emails that scammers send so people are no longer under pressure to guess which emails are trustworthy and which are not. Agari Advanced Threat Protection does what a traditional Secure Email Gateway cannot—comparing the behavior of each email’s perceived sender with the behavior of the real identity-holder to evaluate each email in the context of the sender-receiver relationship. Valid messages get approved—scams get filtered out.
Learn more about how cybercriminals use business email compromise to scam organizations in our recent report on London Blue—a cybergang focused on scamming employees using the name of their CFO.