Business email compromise (BEC) is a typically dispassionate piece of cybersecurity terminology that actually signifies one of the biggest online threats facing organizations today. In fact, threat actors made more money from BEC scams last year than any other type of cybercrime, according to an annual FBI report published recently. The bad news is that these cyber criminals are not content to stick with tried-and-tested techniques. Increasingly they’re leveraging AI-powered technologies to make their scams seem even more convincing to unwitting employees.
After several years on the receiving end of mounting BEC losses, it’s time for organizations to fight back. And the best way of doing that is by going back to basics, with a focus not just on staff training but also on making business processes more resilient and sourcing the right tools to spot attacks early on.
What BEC means in 2022
BEC is a classic con trick, updated for the digital age. An attacker pretends to be someone they’re not, often a supplier or even the CEO of an organization. They may email over a legitimate-looking invoice from a third party or send a hasty message from the ‘boss’ with urgent payment instructions. The trick is to persuade the recipient, usually a member of the finance team, to follow those instructions, without first double-checking with colleagues or the supposed sender.
It seems to be working far too well. The FBI’s Internet Crime Complaint Center (IC3) said it received 19,954 reports from victims in 2021. This puts it in ninth place by volume on the report, far behind the leading cybercrime types of phishing (323,972) and non-payment/non-delivery (82,478). However, when it comes to victim losses, BEC tops the lot at nearly $2.4bn—significantly higher than second-placed investment fraud ($1.5bn).
This means BEC accounted for around a third of all cybercrime losses in 2021. Although that’s down from nearly half the year before, the $2.4bn figure represents a massive 82% increase on 2020 losses. What’s more, although the total number of cases reported to the FBI last year didn’t match the 23,775 of two years previously, the fact that financial losses have surged during that time indicates that threat actors are getting bolder in their demands and more successful in tricking victims.
New techniques, same old con
Unfortunately, the bad guys continue to change tactics in a bid to evade detection. The latest takes advantage of changes in the way companies work today, thanks to the impact of the pandemic. With more of the distributed workforce now using video conferencing tools every day, scammers have begun to gravitate to these same channels to send fraudulent wire transfer requests.
The FBI explains as follows:
“They do so by compromising an employer or financial director’s email, such as a CEO or CFO, which would then be used to request employees to participate in virtual meeting platforms. In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a ‘deepfake’ audio through which fraudsters, acting as business executives, would then claim their audio/video was not working properly. The fraudsters would then use the virtual meeting platforms to directly instruct employees to initiate wire transfers or use the executives’ compromised email to provide wiring instruction.”
Deepfakes are growing in popularity as the technology behind them gets better in quality and cheaper in price. It uses AI technology to impersonate an individual, either in an audio clip like the above example or in a piece of video footage. The technique has already cost victim organizations tens of millions of dollars. The most recent involved a UAE bank manager who was tricked into making a $35m transfer after the director of a client had their voice spoofed.
The concern is that once video deepfakes become more convincing, cyber-criminals will insert these into video conferences too.
In 2021, the IC3’s Recovery Asset Team (RAT) took action on 1,726 BEC complaints involving domestic-to-domestic transactions with potential losses in excess of $443m. It blocked payments of around $329m, which represents an impressive 74% success rate. However, most BEC attacks will not use bank accounts in the US, making such tracking and disruption harder. Those 1,726 complaints are less than 9% of the total reported to the FBI in 2021. And the amount recovered is less than 14% of the $2.4bn in losses.
Organizations must therefore take matters into their own hands. And they can do so with some tried-and-tested tactics based on the old cybersecurity triumvirate of people, process, and technology:
- Ensure BEC awareness training is a part of all staff cyber awareness courses. Simulation exercises can be run to test awareness levels.
- Keep up to date with the latest in BEC trends by regularly visiting ic3.gov and building any new threat techniques into training courses.
- Check financial/payment processes to ensure that any large wire transfer has to be approved by more than one staff member and/or by the original sender. This should be enough to prevent severe monetary losses.
- Consider advanced email security tools such as AI-powered capabilities, which analyze sender's writing style to see if it’s a fake. That way, organizations can tackle attacks before they’ve even hit employees' inboxes.
According to the FBI, even if fraud is discovered only after a wire transfer is made, rapid action could make a difference. Organizations should contact the originating bank and request a recall or reversal and a “Hold Harmless Letter” or “Letter of Indemnity.” But as with all cyber-threats, prevention is the cheapest and most effective way to mitigate risk.