BEC Attacks: How They Evolved in the AI Era

Since the early days of email, email scams have been targeting companies. Numerous users are familiar with the “Nigerian Prince” scams that dominated phishing attacks in the 1990s, defrauding thousands of individuals despite their silliness. However, when the BEC attacks became more widespread and cost more people large sums of money, awareness of the BEC attacks grew until threat actors were compelled to shift to new, more effective strategies. Thus, business email compromise (BEC) attacks, evolved from traditional phishing scams and gained popularity over the last decade. Impersonation is the hallmark of BEC attacks, in which cyber criminals use spoofed email addresses or compromise to impersonate trusted identities (colleagues or company executives) and trick their victims into disclosing sensitive information or engaging in unauthorized financial transactions. CEO gift card scams are one of the most common BECs encountered in recent years.

Even though the BEC attacks were initially quite successful, particularly because they exploited human trust, most companies have effectively taught (or are actively teaching) their staff to detect BEC attacks before it’s too late. It resets threat actors’ innovation cycles. What will threat operators do next to improve or develop new BEC attack strategies attempting to fool their victims? According to the most recent FBI Internet Crime Report, BECs continue to pose a substantial threat to modern companies, causing billions of dollars in annual damages. CISOs must keep up with their evolving techniques. Here are various developing BEC tactics that security leaders should be aware of.

Vendor Email Compromise – Vendor email compromises (VEC) are a variation on the traditional BEC attack, but instead of impersonating someone within the targets’ organization, the attacks impersonate trusted vendors (or use compromised vendor accounts) to carry out invoice scams or other financial frauds. The attacks are extremely successful because they take advantage of the trust and established relationships between vendors and customers using social engineering. VEC attacks frequently request that victims pay an outstanding invoice or update their billing account information (to a fake bank account) before their next payment. Because vendor discussions frequently involve invoices and payments, the attacks rarely raise red flags, unlike CEO gift card requests, which have become practically synonymous with BEC. Because VECs employ recognized identities, whether by breaching vendors’ accounts or spoofing legitimate domains, they’re frequently difficult to detect. They can deceive the most cybersecurity-savvy staff, resulting in significant financial loss.

AI-Generated BEC Attacks – Numerous cybercriminals used templates to start their BEC campaigns. As a result, numerous attacks share common indicators of compromise that may be detected by both the human eye and standard security software. However, generative AI tools, including ChatGPT, enable scammers to create original, well-written, and highly targeted content quickly, making detection significantly more difficult. Even though Open AI has restricted the usage of ChatGPT in creating malicious content, cybercriminals have responded by “jailbreaking” ChatGPT or developing their malicious platforms, including FraudGPT and WormGPT. Over the last year, there have been numerous attacks that AI most certainly caused. Even though AI-generated content doesn’t explicitly indicate email attacks, it’s another indication that security teams can use, together with other patterns in email behavior, to detect attacks.

Email Thread Hijacking – Threat operators are increasingly using email thread hijacking to insert themselves into ongoing and legitimate email conversations. Threat operators will hijack the email threads by impersonating one of the parties using a lookalike domain or creating an entirely new identity, monitoring emails, learning the organizational command chain, and targeting people who authorize money transactions. Thread hijacking attacks often begin with account breaches, which give threat operators access to the inbox and allow them to look for ongoing conversations regarding payments or other sensitive information. They can hijack threads by pasting the topic into new emails (often with lookalike or typo-squatted domains) and continuing the chats with the original recipients. Because the other recipients are familiar with the topic and threat actors have replaced victims, the messages are frequently overlooked as a continuation of the conversation, which can have disastrous consequences. Threat operators can effortlessly blend into conversations by merely reading and understanding its history and automating it using generative AI. The attacks are hazardous and difficult to detect because average employees do not know they aren’t speaking with known colleagues or vendors. Recently, there have been sophisticated threat operators using other thread-hijacking strategies, including copying more “colleagues” into conversations. The “colleagues” are their adversarial counterparts, who use lookalike names to gain legitimacy.

Threat operators will most certainly continue to select BEC attacks as their first choice and will remain the largest cause of financial losses. Humans continue to be the most vulnerable aspect of modern companies because they place so much trust in their digital communications. Cybercriminals are aware of it and will continue to use creative strategies to exploit the trust, which can include utilizing social engineering to log in rather than breaching in. Traditional threat detection technologies especially those relying on detecting recognized signatures, including malware attachments and suspicious links, can only go so far in protecting against the threat. Human behavior isn’t a static attack signal, and companies will want dynamic technologies that can learn and adapt to user behaviors in email environments. Based on user behavior signals, teams can detect anomalies that indicate attacks, regardless of origin, whether using spoofed vendor domains, compromised executive accounts, AI-generated email attacks, or tactics threat operators use to launch the next BEC attacks.

The evolution of BEC attacks in the AI era presents a significant challenge to organizations worldwide. However, by leveraging AI-based security solutions and investing in employee education, organizations can effectively mitigate the risk of BEC attacks. As we move further into the AI era, organizations must stay vigilant and proactive in their approach to cybersecurity. At SpearTip, BEC threat assessments are a hybrid approach of policy evaluation and technical testing including an assessment focused on vulnerabilities within the companies’ environment that could lead to business email compromise (BEC). Our phishing assessments test and educate personnel at the client organization. This is done by sending them non-malicious phishing emails, observing their responses, and providing a short training video on the dangers of phishing and how to spot it. Our training modules educate personnel at the client organization by sending them training emails that contain short videos around a security topic, requiring them to answer questions about the information presented. Interaction with the video and questionnaire is tracked and provided back to the client.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.