A new wave of BEC attacks will force security teams to adapt again

One of the most over-used metaphors in cybersecurity is of the perpetual “arms race” between attackers and defenders. One side innovates, and the other side is forced to update their own tools, technologies, and processes to keep pace. That forces the other side to innovate again, and so it goes on, ad infinitum. Well, it may be an overused analogy, but it’s one that continues to be relevant in today’s threat landscape. The latest example is a new wave of business email compromise (BEC) attacks spotted by the FBI.

Rather than focus on tricking recipients into wiring money, threat actors set out to purchase high-value goods on credit before disappearing without paying. It will require corporate security teams once again to update their knowledge of email threat trends.

What the FBI saw

This latest twist on a now-familiar tactic works something like this:

1. A targeted organization receives an email spoofed to appear as if sent from a legitimate U.S. company, requesting a bulk purchase of goods.
2. These could include construction materials, agricultural supplies, IT hardware, or solar energy products.
3. The sender email domain is spoofed, and display names may be faked to feature current or former employees’ monikers.
4. The threat actors provide fake credit references and fraudulent W-9 forms to the vendor, to secure Net-30 or Net-60 credit repayment terms. This allows them to effectively buy products without immediately paying for them.
5. Once they’ve received the goods, the scammers disappear without paying. The victim only realizes they’ve been defrauded when they try and fail to collect payment days later.

This latest BEC variation is a great example of the continuous search by threat actors for new ways to monetize attacks. In this case, they blend tried-and-true techniques (domain spoofing, impersonation, email) with novel elements (purchasing goods, securing repayment terms). They understand how payment processes and supply chain relationships work, and they have the skills to take advantage. 

Variations on a theme

Where the arms race metaphor falls down slightly here is that BEC as a threat category probably doesn’t even need reinventing yet, so successful have threat groups been at generating profits from it. Last year alone, they made over $2.7 billion — and that’s just from the scams reported to the FBI. Although BEC lost its spot at the top of the list of highest earning cybercrime categories, victim losses still surged 14% year-over-year, according to official figures. One recently spotted attempt tried to trick a victim organization into transferring $36 million in funds. If BEC attacks as audacious as this are bearing fruit, it’s no wonder it has become a multibillion-dollar threat.

The increasing variety of techniques used by the scammers demands continued vigilance. Emails may be sent to finance team members spoofed to appear as if sent by their CEO and requesting a fund transfer. They may come from spoofed vendors or suppliers requesting payment. The request may even come from a legitimate account, hijacked via a spear-phishing attack — making it particularly difficult to detect. 

There have also been attempts to incorporate more advanced technologies into what is basically a digitally enabled con trick. In one famous case, deepfake audio was used to trick a British CEO into believing his German boss had requested a €220,000 money transfer. In another, a bank manager from the UAE was conned into transferring $35 million at the request of a ‘customer.’ Scammers are even using deepfakes via video conferencing platforms to trick attendees into fulfilling money transfer requests from their ‘boss.’

How to stop them

The good news is that best practices for BEC still apply, with a few tweaks. That means combining advanced email security with enhanced policies and a willingness to continuously update employee awareness training. Here are a few suggestions:

• Choose AI-powered email security solutions to learn “normal” email patterns and writing styles in order to flag when something doesn’t look right
• Set email rules to flag when reply email addresses are different to the displayed “from” address
• Ensure intrusion detection tools alert when legitimate corporate emails are spoofed with lookalike domains
• Update staff awareness and training programs with the latest BEC tactics, like the above
• Update processes for wire transfers and high-value sales to include things like:         
  • Directly calling the supplier/CEO/customer to check the legitimacy of a request. And using a company directory or online search for the number rather than the one in the email
  • Require individuals to get sign-off or a secondary check before approving large sales/transfer requests
• Consider color coding emails to flag when messages are sent from external accounts

BEC is not going away anytime soon. But by staying alert and up to date with the latest scams doing the rounds, companies can build much-needed resilience into their cyber-risk management posture.