BEC fraud generated more victims’ losses in 2021 than any other form of cybercrime. It has been a long time since organizations came to grips with these scams.
The old adage that people are the weakest link in security is especially true when it comes to email threats. This is where cybercriminals can arguably generate their biggest “bang-for-buck” by: social engineer targets to follow their instructions. phishing is the most obvious example of such efforts, and there is one specific type of cybercrime that often uses targeted phishing messages and has fueled the most criminal activity in recent years: business email compromise (BEC).
The latest FBI Internet Crime Report reveals that, again in 2021, this scam inflicted more casualties on victims than any other form of cybercrime. It has been a long time since organizations took control of BEC and developed a layered defensive approach to reduce the risk of large sums of money being lost to faceless fraudsters.
How bad is BEC?
According to the aforementioned report prepared by the FBI’s Internet Crime Compliance Center (IC3), the IC3 received 19,954 BEC complaints last year. That actually makes it only the ninth most popular crime of the year, far behind the leaders phishing (324,000), non-payment/non-delivery (82,000) and personal data breach (52,000). However, based on those nearly 20,000 BEC reports, scammers made an astonishing $2.4 billion — well ahead of the second- and third-placed investment fraud ($1.5 billion) and romance fraud (US$950 million).
That means that in 2021, BEC accounted for about a third (35%) of total losses from cybercrime. This is actually a decrease from nearly half the year before, but in real terms it still represents an 82% increase. It is also true that in 2019, when BEC losses were about US$1.8 billion, the number of reports to the FBI was close to 24,000. So fraudsters make more money with fewer attacks. How’s that?
How does BEC work?
They have certainly refined their tactics over the years. At a simple level, BEC is a form of social engineering. Members of the finance team are usually targeted by what they believe to be a senior executive or CEO who wants an urgent money transfer, or possibly a vendor requiring payment. Some demand wire transfers, while others ask the victim to buy gift cards and shares the relevant information with them.
As improbable as it may sound, these scams still occasionally work, as the victim is usually pressured to act, without being given time to think about the consequences of their actions – classic social engineering. And it only needs to work every now and then to make it worthwhile for a fraudster.
A more refined modus operandi will first see the scammer hijack a corporate inbox via a simple phishing attack. They can spend the next few weeks gathering information about suppliers, payment schedules, and invoice layouts. At the right time, they intervene with a fake invoice in which the victim organization has to pay a usual supplier, but with updated bank details.
Because these attacks don’t use malware, they’re harder for organizations to spot — although AI-powered email security is getting better at detecting suspicious patterns of behavior, indicating that a sender may have been forged. User awareness training and updated payment processes are therefore a crucial part of the layered BEC defense.
What the future has in store
The bad news for network defenders is that the scammers are still innovating. The FBI warned that deepfake audio and video conferencing platforms are being used together to deceive organizations. First, the scammer hijacks the email account of a high-profile employee like a CEO or CFO, and invites employees to join a virtual meeting. The report continues:
“During those meetings, the fraudster would insert a still image of the CEO with no audio, or a ‘deepfake’ audio through which fraudsters, acting as business leaders, would claim that their audio/video was not working properly. The fraudsters would then use the virtual meeting platforms to directly instruct employees to initiate wire transfers or use the executives’ compromised email to issue wiring instructions.
Deepfake audio has already been used with devastating effect in two notable cases. In one, a British CEO was misled to believe his German boss was asking for a €220,000 transfer. In another, A bank manager of the UAE was scammed to transfer $35 million at the request of a ‘customer’.
This one kind of technology has been with us for a while. The concern is that it is now cheap enough and realistic enough to even mislead expert eyes and ears† The prospect of spoofed video conferencing sessions using not only deepfake audio but also video is a worrying prospect for CISOs and risk managers.
What can I do to tackle BEC?
The FBI is doing its best to disrupt BEC gangs where they operate. But given the huge potential gains on offer, arrests won’t deter cybercriminals. Law enforcement will always be a whack-a-mole game. More encouraging are the efforts of IC3’s Recovery Asset Team (RAT), which last year claimed to have responded to 1,726 BEC complaints related to domestic-to-domestic transactions, and blocked payments of about US$329 million – a success rate. from 74%.
The challenge is that most BEC attacks will use bank accounts outside the US. In reality, the IC3 RAT recovered less than 14% of the total US$2.4 billion in BEC losses last year.
Therefore, prevention is always the best strategy. Organizations should consider the following:
- Invest in advanced email security that uses AI to distinguish suspicious email patterns and writing styles from senders
- Update payment processes so that large transfers have to be signed off by two employees
- Double check any payment requests again with the person who would make the request
- Build BEC into staff security awareness training like in phishing simulations
- Stay up to date with the latest trends in BEC and make sure to update the training and defense measures accordingly
Like all fraudsters, BEC actors will always go after low hanging fruit. Organizations that make themselves more difficult targets will hopefully see opportunistic scammers turn their attention elsewhere.