by Haidon Storro

Business Email Compromise - Over Half of All Cybercrime Losses

They say, “rules are meant to be broken,” but in the case of a cybercriminal, rules are meant to be created… Email rules that is. A new twist on the age-old email phishing tactic has enabled attackers to cause over $1.7 billion in losses since 2019. Business Email Compromise (BEC) scams account for more than half of all losses according to the FBI’s Cyber Crime Report.

The tactic is simple, an attacker will gain access to an employee’s email and then create email forwarding rules to evade detection. BEC schemes have yielded major success for cybercriminals as so many businesses have staff working remotely due to COVID-19.

How BEC Works?
BEC can be conducted as a very sophisticated scam that enables cyber criminals to redirect pending and future payments to a fraudulent bank account all by manipulating the human psyche. First, an attacker will compromise a business email account through phishing, purchase online, or other intrusion techniques. Second, the criminal uses the new access to conduct reconnaissance or scouting the victim’s email to gain strategic information. After this preliminary phase, the actual attack starts to brew and the cybercriminal starts impersonating the email owner to launch a fraudulent invoice scam, fake boss scam or even non-monetary ones such a trade secret or personally identifiable information (PII) scams. It is also at this step when a cybercriminal changes the reply-to address so when the campaign is in operation, the email owner suspects nothing. Moreover, they may also create auto-forward rules that immediately move an email to the cyber criminal’s inbox.

Another form of BEC is an imposter style scam. This is when attackers stand up look-alike domains and send emails from them rather than utilize an account from the legitimate domain. For instance, is our legitimate fully qualified domain name (FQDN), but a cybercriminal could register a look alike domain such as in an attempt to gain the trust of unsuspecting employees. Additionally, evidence shows that employees reading emails right before lunch are less attentive and thus may easily fall for a scam email from the CEO to go and buy gift cards for the employee “surprise party.” Another scam could use the FQDN and send emails to our business employees impersonating security by saying, “we found a virus on your computer and need to remove it.” Both of these are variants of BEC that leverage external resources and are highly successful on new or low-ranking employees.

Phase 1: Identify Target
- LinkedIn Profiles
- Web Scraping
- Sifting through business email databases

Phase 2: Social Engineer
- Email reply to and forwarding rules are created
- Attackers use persuasion and pressure
- Grooming may occur in the span of a few days to a few weeks

Phase 3: Exchange information
- Victim is convinced they are conducting legitimate business
- Victim may update the routing number for a vendor

Phase 4: Financial Gain
- Funds are transferred to fraudulent offshore account

Who is at the highest risk?
A BEC campaign can target anyone. However, executives and finance employees are the most commonly targeted. A study conducted by security company Trend Micro found that 40% of BEC scams involved the email account of a company’s Chief Financial Officer (CFO). Moreover, 31% percent relied on power held by the CEO to convince a victim of the message’s authenticity.

The C-suite is most vulnerable to BEC due to the power they hold. Attackers are highly focused on efficiency, as running BEC scams is what they do for a living. Also, most get into computers and security by asking questions like what can I make this system do, rather than what can this system do? Next, if a cybercriminal is to invest countless hours breaking into an account, they would be wise to go after the individual who can get them the largest return on investment.

The widespread use of BEC has prompted the FBI to release a Private Industry Notification. They outline an example of a US-based medical equipment company who thought they were communicating with a well-known international vendor that had a similar domain and UK based IP address, but were not. The cyber criminals obtained $175,000 by setting up auto-forwarding email rules for any emails containing the terms "bank," "payment," "invoice," "wire," or "check" to the malicious address.

Why BEC is effective and what you can do today to protect against it
The success of BEC can be contributed to 3 factors. First, when an email rule is created on what a web-based client does, there is a significant delay when it syncs with the desktop client. This creates limited visibility for security teams and attackers capitalize off this to increase their odds of success. Second, they do not use malware or malicious URLs that can be detected by standard security appliances. So simply throwing money at a managed security provider will not protect you against BEC.

Third, the money from BEC scams mostly goes to offshore accounts and banks in Russia or China. The funds are almost always unrecoverable and must be stopped before being wired. Groups behind BEC like Cosmic Lynx are not afraid of prosecution. Russian authorities tend to shield cybercrime gangs from Western authorities. Furthermore, prosecuting cybercrime is already incredibly difficult because of jurisdiction and extradition issues. More than 76 countries do not have an extradition treaty with the US, meaning if a criminal is found, the likelihood of bringing them to justice is low to nonexistent.

Business Email Compromise is increasingly being used by adversaries for financial gain. Silent Sector can function as your remote security department, helping your company measure its phishing and social engineering susceptibility. By understanding your risk factors, we can prepare you to prevent complex attacks like BEC before they strike. Interested in learning more about preventing Business Email Compromise? Contact Silent Sector today.

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.