Business Email Compromise: When Hackers (and Competitors) Attack

By   Information Security Buzz Editorial Staff
Chief Editor , Information Security Buzz | May 02, 2016 07:00 pm PST

You surely don’t need us to tell you that business email compromise (BEC) attacks are on the rise. But are you aware of how dramatic the increase has been? The FBI released an alert on April 4 that included some sobering statistics about fraudulent wire transfer requests:

  • Organizations lost more than $2.3 billion to these types of BEC attacks between October 2013 and February 2016.
  • Law enforcement officials received complaints from more than 17,000 victims during that same time span.
  • BEC attacks have been reported in every U.S. state and in at least 79 countries
  • The FBI has seen a 270% rise in the number of identified victims and the exposed loss since January 2015.
  • In Arizona, the average loss per wire transfer scam is between $25,000 and $75,000.

How BEC Happens

Part whaling, part spear phishing, part social engineering, BEC attacks generally impersonate executives (often CEOs or CFOs) or other trusted figures (like attorneys, controllers, or vendors). Perpetrators use these messages to target internal employees who have access to banking, financial, or sensitive employee data.

Wire transfer fraud has been the most commonly reported exploit, though the recent rash of W-2 compromises has taken over the spotlight (at least temporarily). In late March, CSO Online published a report that identified 41 successful W-2 phishing attacks in 2016, and that number has only gone up since then.

In the case of wire fraud, attackers use several techniques to gain access. “Sometimes it is as simple as an email with a link in it that downloads a keylogger to gain credentials to the company’s bank account,” said Joe Ferrara, Wombat CEO. “In other cases, the criminals are researching companies to know when a high-level employee, like the CEO, CFO, or controller, will be out of the office. The attackers use social media channels, vishing calls, and other means to get the information. Then they impersonate the executive or manager using email spoofing to get another employee to expose data, wire money, or change bank routing information.”

The average person might think it would be difficult for a cyber criminal to successfully bait an employee, particularly with BEC attacks getting so much coverage in the news. But a primary reason these attacks are successful is because they take advantage of fundamental businesses processes and power structures.

“If you think about it, we are not conditioned to say ‘no’ to authority figures, particularly in our jobs. When our bosses ask us to do something, we do it. And when the CFO or CEO is making the request, an employee is even less likely to question it,” said Ferrara. “As a result, we have seen many organizations comply with these emailed requests and send out W-2 data or wire money to an attacker’s account. In the case of wire transfer fraud, once money is wired, it is quickly moved and, in many cases, never recovered.”

To make the situation even more complex, some BEC attacks are very sophisticated; they aren’t email requests that just appear out of the blue. “We’ve heard of several cases in which an attacker establishes a relationship with an employee in advance of requesting a wire transfer or a change to bank routing information,” said Ferrara. “In this type of scenario, a number of contact attempts (via phone or email) are made over hours, days, or weeks. Sometimes the attacker will ask for seemingly innocent pieces of information along the way, but the main goal is to lay the groundwork to become a ‘trusted’ contact of the targeted employee. Asking for a wire transfer or a change to banking information later on doesn’t ring warning bells because the employee now actually believes the request is coming from a valid source.”

With these points in mind, it’s not hard to see how an employee could be fooled by a BEC attack, particularly in the case of a more elaborate social engineering scenario. But it’s also important to keep in mind that regardless of the path an attacker takes, the final step is convincing an end user to make a bad decision.

How Competitors Are Using BEC Techniques to Gain Access to Your IP

At this point, we should all be taking a defensive posture when it comes to cyber security and protection of sensitive data. But we should also recognize that malicious actors can be tied to seemingly reputable sources, including competitors.

“We recently had a series of attempts to gain proprietary information from our employees,” said Ferrara. “One of the vectors used was a BEC-style email, where the senders posed as a market research company. Given how things were handled, the timing of the campaigns, and the types of questions that were asked, we’re quite certain a competitor or a future competitor were behind the activities. And it wasn’t a minor effort; they were very persistent.”

These attacks mirror many we see in the wild, with multiple attacks vectors being used in a coordinated effort to obtain data. “In total we had three different entities attempting to reach our employees. All three offered a consulting fee in exchange for interview time and indicated that they were gathering data for research purposes,” said Ferrara.

“In addition to the direct emails to employees, we had one entity using vishing calls, with the callers asking all sorts of questions, some confidential and some not. Naturally, they all started off by trying to build a rapport before digging too deep, which is a common social engineering technique,” he said. “Yet another organization hit all of our customer-facing employees through social media channels.”

How to Protect Your Organization From BEC Attacks and Social Engineering Scams

Because these attacks are so targeted and often slip past technical barriers, Ferrara believes that regular training and keeping cyber security top-of-mind for employees are the best ways to thwart social engineers. “Organizations should absolutely be prioritizing end-user risk management. One of the reasons we encourage our customers to create a culture of security is because we see the benefits firsthand,” he said. “Educated employees are far more likely to immediately question an unsolicited request for sensitive data. They will also be more likely to recognize when phone calls, emails, and social media messages are outside of the scope of ‘normal.’”

In our current climate, it’s critical to “train beyond the phish.” Because although BEC attacks and other phishing efforts are a serious threat (and one that needs to be addressed), they are far from the only way for individuals to gain a foothold within your organizations.

“This is the reality of the world we live in. Cyber criminals…hacktivists…competitors…they can all locate your employees very easily through many means. Your organization’s website, social media pages, press releases, industry events…they are just the start. Each employee also has personal access points that can be infiltrated,” said Ferrara. “Platforms like LinkedIn are treasure troves for skilled social engineers because of the ready access to qualifying details. And once attackers know who to contact, they can make their approach from a variety of angles, and they can vary the ask from person to person.”

With all of these pieces of data and all of these channels available to attackers, it’s becoming increasingly difficult for employees to recognize what is appropriate and what isn’t. And let’s face it: In the case of BEC and other “personalized” social engineering attacks, your employees are your primary line of defense. In our experience, security awareness training is the difference maker. Because it’s education that creates a knowledge barrier between the attackers tactics and your employees’ response.

As you think about the moments when your end users receive an email, phone call, or social media request, or they hover over a malicious link or download, ask yourself this: How strong is your barrier?

[su_box title=”About Gretel Egan” style=”noise” box_color=”#336588″][short_info id=’67804′ desc=”true” all=”false”][/su_box]