Business Email Compromise (BEC) is a type of email phishing scam in which an attacker attempts to trick members of an organization into sending, for example, funds or confidential information.
The recent Arctic Wolf Labs Threat Report found that this attack tactic has become firmly established. It's easy to implement - and it works: Why should attackers go to the trouble of gaining access to corporate applications, stealing and encrypting files, negotiating a ransom and then collecting cryptocurrencies when they can instead convince someone to transfer the money directly?
Accordingly, according to the current Arctic Wolf Labs Threat Report, almost a third (29,7%) of all cases investigated by Arctic Wolf Incident Response were caused by BEC. The number of BEC examinations carried out doubled in the first half of 2023 - an additional increase on the 29% that was already recorded from 2021 to 2022. The Arctic Wolf Labs Threat Report was created based on threat, malware, digital forensics and incident response case data that Arctic Wolf collects across the security operations framework. It provides deep insights into the global cybercrime ecosystem, highlights global threat trends, and provides strategic cybersecurity recommendations for the coming year.
Unforeseeable damage
However, since the immediate damage is on average lower than with ransomware, a full incident response investigation follows less often. Nevertheless, companies should be vigilant because in individual cases - for example if BEC fraud leads to a data breach - the costs can rise immeasurably. According to the IBM Cost of a Data Breach Report 2023, BEC scams are the third most expensive type of data breach, costing an average of $4,67 million. The sheer number of BEC incidents and the direct and indirect costs associated with them paint a picture of a threat that deserves more attention in the business community.
Types of BEC
BEC fraud comes in many forms, some of which overlap. Currently, six types account for the vast majority of incidents:
- CEO/Executive Fraud: An attacker impersonating a CEO or other executive within a company sends an email to a person with the authority to transfer funds requesting a transfer to an account controlled by the attacker.
- Attorney Impersonation: An attacker poses as a company lawyer or legal representative and sends an employee an email requesting funds or sensitive data. This type of BEC attack typically targets lower-level employees.
- Data theft: An attacker targets employees in the human resources and finance departments in order to obtain personal or sensitive information about individuals within the company, such as directors and executives. This data can then be used for future cyberattacks. In rarer cases, an attacker posing as a customer or supplier may request a recipient (e.g. in a legal or technical role) to provide intellectual property or other sensitive or proprietary information.
- Account Compromise: In this variant (which is also known by the BEC synonym Email Account Compromise (EAC)), an attacker does not simply pose as the owner of a trustworthy email account, but rather manages to gain access to a legitimate email account -Get an email account. He uses this to carry out the fraud by sending and replying to emails from the hijacked account. It sometimes uses filtering tools and other techniques to prevent the actual account holder from noticing these activities.
- False Invoice Scheme / bogus invoices: An attacker posing as a known seller or supplier sends an email to a person with authority to transfer funds, requesting a transfer to an account controlled by the attacker.
- Product theft: A relatively new scam – alerted to by the FBI in March 2023 – in which an attacker posing as a customer tricks a company into selling (and shipping) a large quantity of products on credit.
Protective measures against BEC
Companies should inform all (!) of their employees about the fraud and establish a security culture that encourages them to express and review security concerns at any time. Employees should also pay attention to each email whether the email address is correct or shortened or changed and whether the tone of the message corresponds to the corporate culture or the writing style of the respective (alleged) sender. It is also helpful to define a clear approval process for certain processes, for example in accounting, in order to build in additional safety nets. In the event of suspicion, all employees should also change the communication channel and, for example, use a known telephone number to check whether a transfer request to a new account really comes from the specified sender within the company.
More at ArcticWolf.com
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.