By Tonia Dudley
Business Email Compromise (BEC), or in some regions referred to as CEO fraud, is a simple email that is asking for an action. No link to click. No attachment to open. Just a simple request – can you respond. We typically refer to these as conversational. The threat actor is reaching out with a simple inquiry hoping you’ll respond. By keeping the initial message vague, this tactic allows the message to land in the inbox of your users.
We’ve seen the lure of BEC evolve over the years. It was only a few years ago that these emails were asking for someone to wire money, which would lead to the threat actor sending over wiring instructions with routing and account numbers. It wasn’t long before financial institutions were hot on their trail to flag these accounts. So, as threat actors do, they changed up their tactics. Now, they ask for gift cards or request HR or payroll teams to change the account numbers for a direct deposit setting for an employee. There is a potential they would still ask for a wire transfer, but the frequency isn’t as high, and most likely happens over a series of interactions. Over the next several months, we’ll take a deeper dive into this tactic and provide a highlight of the findings.
My BEC Exchange with “Stephen”
Allow me to demonstrate how simple it is to use this tactic for slipping malicious email past the secure email gateway and into the inbox. The email below in Figure 1 was taken from one of our customers’ reported email into our Phishing Defense Center (PDC). After a little coaxing on my part, my boss cleared me to find a recent BEC email and respond to it from my Cofense email account – no need to obfuscate or change my name. So off I went. I’ll also clarify that this original email didn’t hit my inbox. But yet, when I responded, Stephen didn’t blink an eye when responding to my Cofense account. Now let me take you on this journey.
Figure 1 – BEC Email
Simple, right? Nothing in this message body would get flagged as suspicious, except the user that reported this email knew this was out of place, noticed the domain was unfamiliar, or that it came from a free mail service. First step, I opened the email and responded to Stephen as follows in Figure 2.
Figure 2 – Stage 2
In Figure 2, we see that Stephen wasted no time responding to me, not even questioning whether I was the original recipient. There’s also another tell about this follow-up email. If you look closely, can you spot it? I used this example in a recent webinar and didn’t notice it myself until I was writing this post. The email domain changed. The follow-up in Figure 3 provided much more detail; however, I replied asking for more information – of course trying to see what other details I could gather from him. At this point, you can surmise he must be pulling from a script. You don’t see any grammar errors, except in the closing punctuation [home .] or [to..].
Figure 3 – Stage 3
To close this thread out, I told him, “OK – I won’t be able to get to the store until sometime tomorrow – will that work for you?” Which lead to a response “Okay, thank you very much, I’d be waiting to hear from you.” And that’s where I left the thread. But was that all? Not at all. He came back the next day to follow up. I haven’t responded and it sits in my inbox.
Tips for Contending with BEC
What can you do about BEC? First and foremost, BEC is a business process problem. If your users are responding to requests such as these via email without proper authorization, review your internal policies for sending gift cards. Review your process for updating direct deposit changes, ensure the employee is notified when a change is made, giving them time to react if they didn’t request the change. Review the types of BEC messages received by your organization. If you notice a pattern, advise the targeted business groups to stay on alert for these threats, and report them.
In our 2021 Annual Report, we found that 6% of reported malicious emails were BEC. While simulating a BEC campaign isn’t ideal, organizations that use Cofense PhishMe are able to condition their users to identify and report a BEC email.