The exciting thing many practitioners claim about the cybersecurity industry is the sheer pace of change and innovation. This is usually driven first by the offensive team: the threat actors looking to disrupt our IT systems, steal our data, and monetize their campaigns. They’ve done pretty well at it so far, especially in finding a steady stream of new tactics and techniques to make email-borne phishing attacks more successful. The biggest money-maker to date in this area has been business email compromise (BEC).
Well, the bad guys are at it again. According to the FBI, they’re now using virtual meeting platforms as a new channel for their attacks, often in combination with AI-powered deepfake technology.
Phishing remains one of the top threat vectors out there. But there are many different flavors of attack. Some involve domain impersonation. Others may feature malicious attachments. Yet more may be focused on account takeover or credential theft. Of the 13 email threat types listed by Barracuda, the highest grossing for cybercriminals is undoubtedly BEC. According to the FBI, cybercriminals made almost $1.9 billion off these scams in 2020, and $1.7 billion the previous year. To put this in perspective, it’s around half of the combined total losses of all cybercrime categories in each of those years.
Why is it so popular? Because victims keep falling for it, and there’s a big payoff for a relatively low investment of time and resources. It’s usually achieved not by malware, but by good old-fashioned social engineering. A threat actor tricks a member of the finance team or another employee into sending them money, either via fund transfer or by buying gift cards. They may impersonate a CEO or high-level exec, or possibly a supplier that needs paying.
The next level
Tactics have become more sophisticated in recent months. Although BEC-as-a-service is certainly a threat, these indiscriminate automated attacks tend to go for the lowest hanging fruit. Anyone who stops to check the sender email address and read the request carefully will be able top see it’s a scam.
More dangerous are the targeted attacks, which start with a traditional phishing attack to compromise the inbox of a company employee. The attacker will monitor messages going in and out until they find a suitable moment to step in, hijack the sender’s inbox, and send a fund transfer request to a partner. Other variations will see the attacker hijack the inbox of a CEO or senior exec to request a fund transfer from a finance department worker.
However, earlier this month, the FBI warned that virtual conferencing platforms are increasingly being abused in attacks. It listed three ways this could happen:
- A CEO inbox is compromised and used to send a virtual meeting request to employees. However, when they log on, they’ll be met by a still image of the CEO with either no sound, or audio spoofed to sound like the CEO. They’ll claim their video/audio is not properly working, and proceed to instruct participants to initiate the fund transfer via the virtual meeting chat or in a follow-up email.
- A hacker hijacks an employee inbox and spies on corporate virtual meetings in order to gather more information on day-to-day operations, which could be used in follow-on BEC attacks.
- A hacker hijacks a CEO email account and sends fund transfer requests to recipients, claiming that they can’t do it themselves as they’re occupied in a virtual meeting.
The rise of deepfakes
The first scenario is particularly troubling in terms of what it portends. Already, deepfake audio has been able to trick victims into making millions of dollars’ worth of transfers to fraudsters. Most recently a UAE bank manager was tricked into making a $35 million transfer after the director of an unnamed client had their voice spoofed.
While the above example may be easy enough to spot with a little user training, deepfake technology is improving all the time, and the price is dropping to the point where it becomes a legitimate tool for opportunistic cybercriminals. When deepfake video becomes more realistic and affordable, this tactic could become a serious threat to organizations.
How to stop BEC
The good news is that there is plenty IT teams can do to mitigate the threat of BEC, even if attackers are using deepfake tech. A blend of people, process, and technology should provide the right mix to minimize risk.
People: Build BEC awareness into staff training courses. Run simulation exercises inside phishing awareness tools. Phishing awareness will also help to stop those initial account takeover attempts.
Process: Ensure that no single employee can sign off on large fund transfers. This will ensure a secondary sanity check to stop any possible BEC attempts.
Technology: Improve phishing defenses to block the pathway to BEC: account takeover. Invest in email security that leverages AI to monitor email communication patterns internally to better spot when something suspicious happens. Other telltale signs such as a “reply” email address that’s different to the “from” email address can also be flagged.
BEC will be around for as long as it’s still making the bad guys money. But that doesn’t mean your organization has to be a victim.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.