In just a few short years, Business Email Compromise (BEC) has become one of the highest profile and highest earning phishing threats out there. Yet things never stand still in the volatile cybercrime sector. Just as businesses get wise to the typical modus operandi of attacks, the bad guys have sought new ways to make money. The latest incarnation BEC involves a new tactic that relies not on direct fund transfers but on grabbing prized lists of customers to target.
These “aging reports” represent the new frontline in the war on BEC – and stopping attacks will require continued investment in training and the right tools.
How does BEC work?
Traditional Business Email Compromise follows one of a few fairly well-known patterns. A member of the finance team is targeted by an email purporting to come from the CEO/CFO/MD or similar. It requests an urgent fund transfer for some reason or other, into a third-party bank account. In some cases, the email is spoofed to appear as if sent by the C-level exec while in others the email account has really been hijacked – making it even harder to spot the fraud.
In both cases, the attackers use well-worn social engineering techniques to improve their chances of success. This means hurrying the recipient into making a rushed decision before they have time to think things through properly or consulting another team member.
The latest version of the scam spotted by security researchers at Agari involves fraudsters once again posing as a senior executive. However, this time around they request not a fund transfer but an “aging report” or “schedule of accounts receivable.” These are a common feature of any corporate finance department – a vital way to manage unpaid invoices and credit memos.
However, in the hands of an attacker, it’s an invaluable source of intelligence on the company’s customers/partners, and any outstanding balances owed. With this information, the attacker is then able to target those companies directly to demand payment, pretending to be a representative from the original firm that handed over the list. Because the payment requests are related to real invoices, the scam has a high chance of success.
In some cases, the scammers even offer incentives to pay the debt quickly, such as a reduced total amount – further accelerating the process so victims have less time to think things through. It goes without saying that the details supplied by the attacker are for a bank account under their control, rather than the real partner organization.
The bigger picture
This is just the latest evolution of a threat growing in popularity in the cybercrime underground thanks to its huge money-making potential. According to a new report from the US Treasury, BEC cost US organizations $300m each month in 2018, with the number of reports climbing from around 500 per month in 2016 to more than 1100 last year. What’s more, the bad guys are getting better at monetizing these attacks: in 2016 they only made an average of $100m per month.
According to Symantec, an average of 6,029 organizations were targeted by BEC emails each month during the past 12 months – with the biggest number of victims in the US (39%).
What should happen next
So what can IT leaders do to keep their businesses safe? BEC is in many ways more difficult to prevent than traditional cyber-attacks in that there’s no malware to block. Instead, it’s all about socially engineering the victim into making the fund transfer or handing over the aging report list.
This is why defensive efforts should focus first on improved training for employees – especially those in the finance department. Real-world simulation exercises work best, run in short 10-minute bursts to maximize their impact.
Combine this with technical controls and improvements to business processes such as:
- Email security tools to scan for spoofed domains and keywords in the message body and From/Reply-to headers
- Multi-factor authentication (MFA) and privileged account management (PAM) tools to prevent hackers from hijacking executives’ accounts
- Anti-phishing tools to also guard against account takeover
- Ensure any payment requests/demands for aging report lists be signed off by at least two people in the organization
- Consider AI-powered tools which can analyze the writing style of executives’ emails to spot malicious spoofs
BEC attacks are on the rise, but there’s no reason why your organization can’t steel itself against such threats. Careful planning and company-wide awareness raising are essential.