What is Business Email Compromise, sometimes abbreviated as BEC? BEC starts with a phishing attack, but before we get into that, first a bit of background.
Cyber Risks
If you run a small business, you’ve probably heard time and again about cyber security risks. Maybe you haven’t heard about BEC, but you probably know that a successful ransomware attack could cripple your business. You also know that you need to protect your business from downtime. The costs of idle employees, lost production, lost opportunities, and customer dissatisfaction, especially if the situation persists for more than an hour or two, are ruinous.
Email Attack
You’re probably aware that email is far and away the most common vector for malicious attack. By now you probably think all your employees know not to open email attachments from unknown senders or click on hyperlinks in suspicious messages, but many attacks, including BEC attacks, are successful. According to a 2019 report, 94% of all malware is delivered by email and this volume continues to increase. In 2020 the FBI reported that cyberattacks had increased by 400% since the start of the COVD-19 pandemic. In a single month in 2020 phishing attacks spiked by 510%.
Phishing
Why is phishing so popular amongst cybercriminals? Why is it so effective? The reason is because phishing combines the opportunity for technical exploit with the seemingly endless variables of human behaviour. All computer systems have vulnerabilities, or bugs, but malicious actors need to get access to exploit them. That’s why they work so hard to manipulate users into providing that access. Cybercriminals know that if they send out millions of copies of a phishing email, a percentage of users will be unaware or inept enough to take the bait.
Spearphishing
As mentioned above, a common motivation for phishing is the delivery of malicious software in the form of a ransomware attack. This can be targeted randomly, or in a specific kind of attack known as spearphishing. To use the fishing metaphor, if phishing can be generally likened to drift-net fishing or trawling, spearphishing is, as the name implies, akin to aiming a spear-gun and shooting at a specific target. To be successful, a spear-fisher needs to know about the target: how to find it, what it looks like, how it behaves. Similarly, criminals using spearphishing techniques need to research their prey ahead of time. By doing so, they know they have the best chance of hitting the right target. As much as 65% of targeted attacks rely on spearphishing. Business Email compromise relies on spearphishing.
Finding the Target
So how do spearphishers find their targets? Well, it’s not that hard. Just pick a company or organisation. Look at its social media pages, LinkedIn, Facebook, Instagram, etc.. Collect information about the various team members and their roles. A typical spearphishing attack could progress something like this:
- The criminals choose a target organisation based on generally available information. Maybe they are targeting a particular industry or sector.
- The criminals follow and analyse social media to gather data. Depending on the potential value of the target, this may be over a period of months or even years.
- They compile a dossier of information about employees: their names, roles, lifestyles, habits, working hours, holidays, level of experience, even birthdates and names of family members and pets. In some cases, they will even make random telephone inquiries or observe physical locations and activities.
- Using the gathered information, the criminal will craft a spearphishing message targeting a single employee, with a single purpose. That purpose will be to engineer that user into performing an action. This is how Business Email Compromise begins.
Business Email Compromise
Here’s a BEC scenario. Chris is a junior admin worker at a mid-size construction firm. He does mostly reception work but has been trained on the company’s ERP system and will be standing in when a more senior employee, who usually manages accounts, goes on leave. A month or two earlier, malicious actors sent Chris a phishing email. As far as Chris could see the email was from Microsoft, saying that that it was time to reset his Microsoft 365 password. He clicked on the link in the email and was taken to a web page which looked exactly like the page he sees when logging in to Office 365. He entered his old and new passwords and thought nothing more about it. This is where the BEC begins.
The malicious actors now had Chris’s Microsoft password (the ‘old’ one). So as not arouse Chris’s suspicion when his Microsoft applications requested login, they changed Chris’s old password to the new one he had just chosen. The criminals can now login to Chris’s Outlook at any time to monitor his emails. They can gather more precise information that previously about his working hours, workflows, habits, likes, dislikes, and so on. They know how he communicates with fellow workers, customers, and suppliers and how those people communicate with him.
Profits of Crime
At this point, the malicious actors have a range of options for exploiting Chris’s account. They could intercept outbound invoices to customers and send every customer a notification of change of bank account details. This is very common BEC exploit and of course results in some customers paying funds into the criminals’ bank account. Naturally, this level of access to an employee’s communications could present the criminals with other ideas. If Chris sometimes pays suppliers, the criminals might forge an email from the company’s CEO instructing him to make an urgent payment, necessary to ‘clinch a deal’. They don’t just know what the CEO’s emails look like, they know his tone and they can perpetrate the attempt at a time when they know the CEO will be unavailable for Chris to confirm. Because he is standing in, doesn’t want to look like he can’t do the job and is keen to please, Chris transfers the funds as requested.
We can help!
All the issues highlighted in the previous scenario can be quite easily avoided. Basic cybersecurity precautions and the application of best practices would have stopped the criminals dead and forced them to move on to the next ‘phish’. Reach out to Baw Baw IT if you need help to mitigate the risk of Business Email Compromise.
