Why the fast-mutating BEC fraud is as common and costly as ever

Business email compromise has been on the rise for many years, not just by the number of cases but also in terms of the costs. Research carried out in 2019 found that 29% of organisations being monitored had their Microsoft 365 accounts infiltrated, and earlier this year Hiscox’s fourth Cyber Readiness report placed it as the second most common type of breach at 21%, with viruses and worms at 23% and ransomware at 19%. The FBI's 2019 Internet Crime Report found it to be, on average, the most financially costly category of cyber attack (with losses of $676 million in 2017 rising to $1.7 billion in 2019). As a recent example, a fraudster was sentenced to five years in prison for a BEC scam that extracted $23 million from Google in 2013 and $98 million from Facebook in 2015. As well as the direct costs of these frauds from the fund transfers, organisations and their insurers often need to contend with the additional costs of forensic investigations and eDiscovery, and the costs of notifying data privacy regulators that a data breach has occurred.

BEC is a category of fraud that was initially best known for the CEO impersonation scheme. Here’s how it works. First the threat actor carries out some initial reconnaissance from public sources, building an understanding of the individuals they are targeting such as company executives. Next, they send an email to their primary target purporting to be from an executive, which according to a study of 3,000 attacks is the CEO in the majority of cases (42.9%). The message looks legitimate to the recipient, often making use of email spoofing or minor variations of a legitimate address, and the request for payment is plausible and is often accompanied by an element of time pressure.

More recently, these relatively low tech attacks have evolved into a much broader set of scams. Cybercriminals can use the same techniques to target an organisation’s supply chain, payroll process, or trusted third parties such as legal representatives. But things really get interesting when cybercriminals mount an attack with the aim of taking control of an email account and then impersonating the owner, using their identity to carry out various kinds of fraudulent activity. Once a threat actor has control of an account, there is a lot they can do with the mailbox and the data that is available to them. As well as facilitating fraudulent transactions, they can send malicious and spam emails (potentially primed with malware) or carry out reconnaissance of the business before mounting a more sophisticated attack. They can download the files stored on cloud storage services such as OneDrive as well as the user’s entire mailbox, and then extract personal data and confidential corporate information (which can be used for identity theft, intellectual property theft or fraud). The threat actor also has the ability to reset passwords of any of the connected accounts that are registered to the email address, taking full control of those as well.

How do threat actors execute these account takeover attacks (also referred to as ATO and email hijacking)? We’ve already touched on email spoofing and social engineering, but threat actors have an array of other techniques at their disposal including phishing emails, keystroke logging using malware, brute force attacks, and using leaked account credentials from data breaches – and if any one of these is successful, the reputational and financial damage can be severe.