Chris Swagler | January 19th, 2023

Over the course of six months, a recently hired administrative assistant for a top law firm from the east coast received three emails from a partner asking for a wire transfer totaling $240,000 to an outside consultant. The employee made the transfers to avoid upsetting one of the supervisors. Everything appeared to be fine until a few months later when it was discovered that a thief had impersonated the partner and stolen the money. The law firm filed an insurance claim for its losses; however, it was denied because the employee failed to follow an internal dual authentication policy that required numerous stakeholders to evaluate significant transactions. Unfortunately, new employee business email compromises (BEC) like this are too common.

Threat operators frequently monitor new corporate email addresses or social media posts about people starting new jobs. They impersonate corporate executives digitally, taking advantage of employees’ reluctance to question the authenticity of emails from senior management. Even though numerous companies now prioritize ransomware, BEC attacks, which have been around for much longer, are increasing in frequency complexity, and severity. Ransomware is getting all the attention because the attacks are known to be more extensive and have the cloak and dagger style. BEC isn’t something people discuss; however, in terms of volume, it’s at least as prevalent as ransomware attacks.

According to the FBI’s Internet Crime Complaint Center (IC3), BEC is the most financially damaging internet crime. In 2021, BEC scams resulted in approximately $2.4 billion in global cyber losses, compared to 49.2 million from ransomware. Between July 2019 and December 2021, BEC attacks increased by 65%, costing companies an estimated $43.3 billion. BECs usually target companies that conduct wire transfers on a regular basis. Threat actors gain access to employees’ email accounts to learn more about the companies’ vendors, then send fraudulent wire transfer payment requests to vendors. The vendors are then duped into sending money to treat actors’ accounts.

These scams used to be easy to spot because users could detect horribly reproduced brand logos, broken English, or ridiculous scenarios. However, cybercriminals are becoming more effective at hiding their tracks. They’re spoofing CEO and CFO email addresses and sending fake communications to recipients that look exactly like the real thing. Additionally, they’re researching companies and employee activities to insert themselves into key conversations at critical junctures. For example, if threat actors learn about a merger, they can use the information to pose as part of the deal and trick people into sending them money. It occurs more frequently than companies would like to admit in almost every industry:

Real Estate – Scammers have diverted thousands of dollars in seller and buyer funds. A simple search will reveal every house for sale, who are the real estate agents, and the names of supporting title and escrow companies. Threat actors can locate email addresses of parties involved in the transactions with a little more research and then pose as the parties to steal money. According to the FBI, 13,638 people were real estate wire fraud victims in 2020 losing more than $213 million with BEC responsible for a large portion of it.

Healthcare – Cybercriminals launched BEC attacks against payment processors to divert victim payments. According to the FBI, a healthcare company with over 175 medical providers discovered a person posing as an employee was changing automated clearing house (ACH) instructions for one of their payment processing vendors, redirecting almost $840,000 to the cybercriminal instead of the intended providers.

The FBI issued a warning earlier this year that scammers are expanding their BEC attacks beyond traditional platforms. While social engineering once depended on phone and email exchanges, the technique has expanded to include virtual meeting platforms since the start of the pandemic. Threat operators compromise senior leaders’ email addresses and use them to invite employees to virtual meetings. Scammers will insert still images of CEOs with no audio or deepfake audio into meetings claiming their audio or video isn’t working properly. The threat operators will instruct employees to begin wire transfers to bogus bank accounts.

It’s clear that BEC attacks aren’t going away, especially with the level of sophistication attained by threat operators. Advances in automated technologies and the continued evolution of deepfake audio and video are accelerating their efforts. BECs are thriving because they capitalize on people’s tendency to trust and most people are hesitant to question emails purporting to be from senior executives, valued partners, clients, or the media. Most people don’t scrutinize every email address to ensure it’s written in the proper company format.

According to observers, companies need to mitigate human tendencies by utilizing technological and procedural best practices:

Invest in Education and Awareness

 82% of data breaches involve human elements, including social attacks, errors, and misuse. BEC doesn’t require malware unlike ransomware or other attacks. Because of human nature, scams are easier to execute than people think. Investing in training programs to help employees detect and respond to potential BEC attempts is critical. The FBI advises taking basic precautions:

Use Multifactor Authentication (MFA)

 Multifactor authentication has contributed to the reduction of ransomware attacks and is now a standard requirement in cyber insurance policies. Requiring additional checks and balances before someone can access networks, emails, or financial accounts can prevent BEC attempts, and not having MFA can result in disaster. In the first half of 2022, based on all the BEC cases tracked by a security monitoring company, 80% of affected companies had no MFA.

Embrace Layered Defense

 Even though BEC attacks aren’t always technologically sophisticated, they can be prevented by deploying basic security countermeasures and updating IT systems on a regular basis. Analysts advise using spam filters, implementing secure file-sharing processes, and utilizing zero-trust approaches, in which everybody or machine attempting to connect to networks is suspect until proven otherwise.

Even though ransomware continues to grab global attention, experts are warning companies not to take business email compromise lightly as the threat isn’t going away. BEC attacks are increasing in frequency, complexity, and severity. It’s important for companies to address the BEC attacks on employees immediately and always remain vigilant of the current threat landscape. At SpearTip, our certified engineers are continuously working 24/7/365 at our Security Operations Center monitoring companies’ networks for potential cyberattacks, including business email compromise attacks. SpearTip examines companies’ security postures to improve the weak points in their networks. Our team engages in companies’ people, processes, and technology to measure the maturity of the technical environment. For all vulnerabilities we uncover, our expert will provide technical roadmaps ensuring companies have the awareness and support to optimize their overall cybersecurity posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.