Business Email Compromise (BEC) is a sophisticated form of cybercrime that has become increasingly prevalent in recent years. Cofense had the privilege of hosting three key members of the US Secret Service and its Global Investigative Operations Center (GIOC) to discuss their efforts to thwart BEC, the latest tactics and criminal organizations utilizing BEC schemes, and the importance of training, awareness, and reporting. You can watch the entire webinar here. Below is a short summary of the topics and advice from the briefing.
BEC is an email campaign that doesn’t include a link or attachment but requests an action. It might be a simple request like send me your mobile number, buy me some gift cards or change a direct deposit or vendor master bank account information. Threat actors involved in these campaigns may leverage the information they obtained via a credential attack. Once they gain access, they set up unauthorized email rules that automatically forward specific emails containing financial information to their own email accounts, and then delete the original email to cover their tracks. Even though a recipient reset their password after giving up their credentials, threat actors will often add “auto-forwarding rules” to the recipient Outlook for emails that contain key words used in financial transactions. Steven Dougherty, Financial Investigator/Forensic Analyst for the USSS Global Investigative Operations Center explains, “So this is all happening in the background. You are not seeing this actively happen in your email inbox. In fact, the only way you can really detect it is if you know or think to regularly go and check, hey, I need to check my email rules or my auto filters to see if anything odd has been set up.”
Threat actors are using new and advanced techniques, including deep fakes and voice replication, to commit BEC attacks. They are also using phone-snatching and SIM swap attacks, where attackers steal phones and use them to access banking apps and drain money from bank accounts. And they are doing it with great success! Michael Johns, Director of Private and Public Sector Outreach for Cyber Security at the US Secret Service, reveals that “the cost of BEC attacks is high, with the average loss per incident being around $130,000. In 2021 alone the Internet Crimes Complaint Center received nearly 20,000 reports of revolving compromised accounts with losses of nearly $2.4 billion.”
One of the most effective ways to prevent BEC attacks is to implement strong security measures, such as email filters, and enable multi-factor authentication (MFA). It is also important to conduct regular security audits and penetration testing to identify and address vulnerabilities in the organization’s systems and processes. Additionally, companies should have a robust incident response plan in place, which should include regular training, testing, and reporting in a timely manner. Unfortunately, with all the available technology in place, the human error element remains the most important factor. Michael Johns said, “91% is right around the number that we hear that this is human error.”
Given the evolving nature of BEC attacks, organizations must stay abreast of new and emerging threats. This requires continuous monitoring of threat intelligence feeds, regular training, and awareness programs, and staying informed of the latest trends and techniques used by threat actors. Companies should also consider engaging with cybersecurity experts and industry associations to stay informed of best practices and emerging threats. Additionally, develop a relationship with law enforcement agencies, like the US Secret Service or Federal Bureau of Investigation, well ahead of an incident, so the reaction is swift. “We have 42 cyber fraud task force offices around the United States, additional offices all around the world, and a company overseas can file IC3 complaints too,” according to Special Agent Abigail Tyrell from the USSS GIOC.
Finally, it is critical to establish a culture of security within the organization. This involves fostering a sense of responsibility among employees for the organization’s security, encouraging a proactive approach to risk management, and promoting a culture of transparency and collaboration. By doing so, companies can reduce their risk of falling victim to BEC attacks and improve their ability to respond effectively if an attack does occur.
In conclusion, BEC is a complex and sophisticated form of cybercrime that can cause significant financial losses to individuals and companies. It is essential to remain vigilant, educated, and aware of new and advanced techniques used by cybercriminals and make aware and engage with numerous resources and investigative agencies dedicated to stomping out cybercrime.