Business Email Compromise – old scams, new techniques

Cybercrime Csaba Krasznay todayJune 20, 2024 52

Background
share close

In our experience, Business Email Compromise (BEC) fraud is exploding, so we’ve looked into what’s behind it.

The process of the scam

One of the most widespread cybercrimes in recent years is Business Email Compromise. The execution of this type of fraud is apparently very simple.

  1. The fraudsters first select a victim, typically a company with a large cash flow, large enough to have a separate finance department and a manager who does not have daily contact with finance colleagues.
  2. In the second step, targeted email messages, spearphishing emails or phone calls are sent to the selected individuals. It is very helpful to use social networks such as LinkedIn to map out the right people to target, but often the company’s own website can also help. In these messages or calls, the fraudsters typically impersonate the head of the organisation, urging the victim, who works in finance, to make an urgent transfer. Days, or even weeks, before the transaction is executed, the action is prepared, with convincing and credible information being fed to the victim,
  3. who by the third step of the scam is fully convinced that he or she is actually being instructed by his or her boss.
  4. In the fourth step, the money is transferred to a bank account held by the organised cybercrime group, from where it is almost impossible to recover the money, which is then laundered by the fraudsters using clever and rapid money laundering techniques.

Significant rise over the past year

This type of fraud has been much talked about in the media and by the police in every country. However, not only does the FBI news (https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/business-email-compromise) show that there are more cases every week. Our colleagues at White Hat IT Security are also under the impression that the number of BEC scams has increased significantly in recent months. In fact, industry surveys such as the Abnormal Threat Report (https://abnormalsecurity.com/blog/bec-vec-attacks) and Perception Point’s 2024 Annual Report (https://perception-point.io/resources/report/2024-annual-report/) confirm our impressions: the number of Business Email Compromise attacks has risen significantly over the past year. In addition, of course, the ENISA Threat Landscape (https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023) also dedicates a specific subsection to this type of fraud, which shows its importance at European level.

Take care of your email account!

Therefore, there is problem. But what is the reason for the upsurge in this type of attack? Let’s take a look at the trends that are helping cybercriminals. First, to be convincing, an attacker needs deep information about the life of the organisation. You need to know who the company does business with, what transactions are in progress, which can be diverted, how employees communicate with each other. This information can typically be found in internal company emails, which attackers have a tendency to access. For example, at the time of writing, the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=exchange&field_date_added_wrapper=all&sort_by=field_date_added&items_per_page=20&page=1) lists 16 vulnerabilities against Microsoft Exchange Server that could potentially be exploited to gain access to a company’s entire e-mail database. But the data stolen in ransomware attacks can also provide a rich source of information for establishing appropriate communications.

Boosted by AI technologies

Once you have the data, you “just” have to process it. Let’s not forget that an email account can contain terabytes of unstructured data that would be difficult to interpret with human skills alone. But this is where artificial intelligence can help enormously! All you have to do is feed the data into the large language model (LLM, like ChatGPT), which then extracts the important information and uses it to create spearphishing emails that can be used in an attack. And it can do all this in any language. But that’s just the written part! With the proliferation of deep fake technologies, creating faces and voices is not impossible. In February 2024, for example, several press articles referred to a case in Taiwan where a financial manager was duped by fraudsters in a video call (https://edition.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html), such that the victim was the only real person in the call, everyone else was a deep fake persona. Although the case is treated with minor reservations, it is a warning sign that $25 million in damages were incurred after this incident.

How can we protect ourselves?

What is the conclusion? That Business Email Compromise fraud, however primitive it may seem, is a serious threat to companies. It is therefore essential that all potential victims are aware of this type of fraud and, if they detect even the slightest sign of abuse, should check the authenticity of the transactions they are expecting to receive. From a technical point of view, email filtering solutions such as Microsoft Defender for Office 365 (https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-about) will have a good chance of filtering out even spearphishing emails based on their characteristics. However, there is no effective protection against deep fakes for the time being. In this case, only healthy paranoia and vigilance can help. And if problem does happen, our incident management team is available to ensure that at least the extent of the problem remains manageable. Incident Response Services – White Hat IT Security

Written by: Csaba Krasznay

Rate it
Previous post

Similar posts