The continued rise of Business Email Compromise
Olly Jones, Senior Cyber Security Consultant
News emerged this week that a pair of well-known Instagram users—one of whom has 2.4 million followers—have been extradited to the US to face charges of conspiracy to commit wire fraud and laundering hundreds of millions of dollars obtained from online crimes. After arresting the pair last month, the Dubai Police said they had recovered $40 million in cash and 13 luxury cars worth around $6.8 million.
One of the main tactics they employed to build up their vast criminal wealth was impersonating legitimate employees in what is known as a Business Email Compromise (BEC) scheme. BEC is a more focussed—and potentially more lucrative—type of phishing scam that has increased noticeably since the start of the COVID-19 pandemic. In April and May alone, security provider Abnormal Security reported that the volume of BEC campaigns increased by 200%, which coincides with when the virus began to spread and many businesses were forced to shift rapidly to full remote working. This huge increase followed an FBI report in February that they had received nearly 24,000 complaints about BEC scams in 2019, with a total loss of $1.7 billion.
What is Business Email Compromise?
A BEC scam involves online criminals managing to compromise an organisation’s email account and then monitoring the correspondence and financial dealings between a customer and its vendors. This enables the attackers to build up an understanding of the relationship between the two parties and—when they are ready to strike—they email the customer by spoofing the account of a trusted individual, such as a CEO or senior executive. The message aims to convince the victim that the vendor is notifying them of a change to their bank account details and attempts to lure them to send or share certain financial details. Unless the victim verifies this change in account, the money is sent to the criminal and is most likely is never seen again.
How widespread is Business Email Compromise?
Many readers will wonder how people responsible for payment processes can be so easily duped, but the techniques used are the same social engineering techniques that are exploited in sophisticated spear phishing campaigns. For BEC, the emails are carefully timed to be sent to senior executives or finance teams during busy payment runs or during periods of increased time pressure such as late on a Friday or before a holiday break. In the US in 2019, the average loss from a BEC scam was around $72,000, but some companies have been known to lose much more, including the Japanese media conglomerate Nikkei who reportedly lost $29 million in a BEC scam in 2019.
A new threat group emerges
One of the most sophisticated groups who currently specialise in BEC attacks are a recently discovered Russian group referred to as Cosmic Lynx. Over the past 12 months, the group has been linked to more than 200 BEC campaigns that have targeted senior-level executives in 46 countries.
Unlike many BEC attacks—which are relatively straightforward and are commonly identified due to the poor use of grammar—security researchers have remarked that Cosmic Lynx stands out because their emails are extremely well-written and articulate. Their attacks have also been seen to be focussing on target victims that do not have an established Domain-based Message Authentication, Reporting and Conformance (DMARC) policy. Additionally, they have been using a fictitious scenario regarding an upcoming merger-and-acquisition that has enabled it to demand and steal larger sums of money from victims. As an example, they have been demanding hundreds of thousands, or even millions, of dollars in some of their attacks, whereas the average theft amount in most executive BEC attacks is around $50,000 to $70,000.
How can I protect myself and my organisation?
Although organisations normally have technical defence measures to detect spoofed or suspicious emails, the key to mitigating the threat of Business Email Compromise is user awareness training and vigilance. Whilst employees are an organisation’s best security asset, they are also their biggest security risk; particularly those who are in senior positions, finance teams, or anyone who has the authority to make payments to external partners and vendors.
Users are encouraged to make particular effort to check emails that originate from external email sources such as Gmail or other commonly used general domains. Very slight changes to an email address or domain name, such as swapping an ‘i’ and ‘l’, or adding an ‘s’ to the end of a known domain, can look entirely legitimate when the user is busy and only casually glances at the sender address.
If you are ever in any doubt about a transaction request or change of payment details, be sure to verify the validity of the request via another communication channel—such as phone or another form of messaging—because any response to the original suspicious email will actually be routed back to the criminal themselves.
How PGI can help
We have helped organisations around the world educate their workforces on cyber security threats and how to identify them. Understanding the threats will significantly mitigate the risk of a cyber attack, which most commonly occur as a result of a successful phishing campaign or other end user activity.
Contact us to talk about how we can help prepare your workforce to mitigate and manage potential cyber security threats: firstname.lastname@example.org or +44 (0) 845 600 4403