Business Email Compromise (BEC) Attacks are Becoming More Complex

 By now, most people have heard of business email compromise (BEC scams). They have been around for a long time, but attackers are getting serious about honing their craft because this type of heist is one of the most lucrative around.

What is a Business Email Compromise?

A BEC scam is a type of cybercrime where a scammer sends a legitimate-looking email from a spoofed account and tricks a high-level executive into transferring funds directly to the scammer.

It works by social engineering and may pan out like one of the examples below provided by the FBI warning businesses and executives of the dangers of a BEC scam.

“In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:

• A vendor that your company regularly deals with sends an invoice with an updated mailing address.
• A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
• A homebuyer receives a message from his title company with instructions on how to wire his down payment.

Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands—or even hundreds of thousands—of dollars were sent to criminals instead."

According to Data Breach Today, “From 2019 to 2020, the FBI said reported BEC losses rose from $1.7 billion to $1.8 billion, for an average loss of $92,932."

How Do BEC Scams Work?

How it works is the scammer finds the target's email address either through LinkedIn, a company website or on the dark web through databases from breaches.

Sometimes instead of requesting money, the goal might be to install malware onto the employee's computer allowing the hacker access to the entire network and a larger payday.

How Business Email Compromise (BEC) is Evolving?

In hopes of even bigger payouts, these types of cybercriminals are continuously refining their craft. Some of the ways they are enhancing these scams to be more successful are:

• Using redirect services to hide the final destination of any links within the email.
• Sometimes, these threat actors use legitimate ads and redirects and hijack those for their own purposes. For example, a recent scam led users to a fake Office 365 login page and then stole their credentials when victims tried to log in.
• Another tactic to legitimize these phishing campaigns is to take control of a legitimate email account and send the emails from there. This technique works well to evade detection by spam blockers.
• Often, scammers will use homoglyphs - characters that appear similar (for example, using the letter O in place of a zero) in a URL. If recipients don't look too closely and follow instructions within the email, they quickly convert to victims.
• Some hacker groups are hiring English-speaking natives. Typically, emails with broken English indicate that it is a scam. 
• Advertising for disgruntled employees of large companies with access who are willing to sell it. 

Another scary scenario is when a hacker gains unauthorized access to a company network and spends weeks trolling around learning the lay of the land. For example, they may access schedules or calendars and know specifically when high-level executives might be traveling and can launch their attack when it is most beneficial. Once the hackers have full access, they can pretend to be anyone in the company, and if they gain access to accounting, the bad actors can transfer out as much money as they want.