All eyes have been on ransomware recently, but business email compromise (BEC) remains a significant threat and continues on an upward trajectory that cannot be ignored. Between 2019 and 2022, Microsoft’s Digital Crimes Unit found a 38% increase in cybercrime-as-a-service targeting corporate email, and the FBI’s latest Internet Crime Report validates that finding with its most recent BEC statistics showing an uptick in losses and complaints:
Total losses from BEC in 2022
Average losses per BEC incident
BEC complaints received in 2022
Despite email scams being one of the oldest tricks in the cybercrime playbook, with the “Nigerian prince email scam” of the 90s arguably the most famous, organizations continue to fall victim to low-sophistication tactics, and at shocking rates. According to the FBI’s report, BEC attacks accounted for 37% of all losses last year, raking in a whopping 64 times more in losses than ransomware. These staggering statistics come to a head with 82% of organizations reporting they experienced BEC fraud attempts last year.
As with most cyberthreats, criminals are evolving their tactics when it comes to BEC, which could be contributing to the increase in these attacks. Let’s take a look at the new way bad actors are perpetrating BEC, and what you can do to protect your organizations from these attacks.
A New Approach to an Old Tactic
Historically, BEC attacks started as a successful account takeover (ATO) in which the criminal fully assumed the identity of a legitimate company executive, network administrator, employee, or third-party vendor by acquiring the victim’s account credentials. These attacks typically involve phishing (with emails or texts containing malicious links and/or attachments) and, more commonly, social engineering attacks. The fraudsters use spoofed email accounts to masquerade as executives, other high-ranking employees, and even vendors, making urgent requests for payments or gift card purchases. A recent report found that 15% of employees acted on these fraudulent requests last year.
Primary types of BEC fraud include CEO BEC fraud and vendor email compromise (VEC). With CEO BEC fraud, attackers will impersonate a company CEO or other executive in an attempt to convince employees at any level into processing unauthorized wire transfers or sharing confidential tax information. Similar to CEO email fraud, VEC exploits vendor communications to control payments, most often in the form of false invoice scams. In typical VEC scenarios, criminals tap into vendor emails or business systems to observe how transactions are processed. They collect information on invoice structures and communication idiosyncrasies. These details enable them to assume communication with the victim without raising suspicion.
As criminals get more sophisticated, they have started taking a new approach to evade detection via BEC: buying residential IP addresses to make their origin attempts appear legitimate. With the combination of local IP addresses and exposed corporate usernames and passwords, Microsoft warns that BEC attackers have greater ability to circumvent “impossible travel” flags, allowing for higher volumes of BEC attacks.
One way criminals gain access to IP addresses is infostealer malware, with its ability to siphon authentication information as well as device information including IP addresses, browser fingerprints, web session cookies, and personal information such as credit card numbers, crypto wallets and banking details. In our analysis of recaptured data from the criminal underground in 2022, SpyCloud found approximately 22.8 billion IP addresses exfiltrated by malware, and combined with the 721 million exposed credentials we also found, the dark web is chock full of exactly what bad actors need to launch BEC attacks and evade detection. Alongside IP addresses, infostealers commonly steal device configuration details which can aid an attacker in making their actions appear more legitimate, as if they were originating from a trusted device.
How to Prevent Business Email Compromise
BEC is one of the top ways businesses become victims of fraud. It exploits people, which makes it cyber-by-association and therefore difficult to detect and even more difficult to stop altogether. Worse yet, it’s evolved beyond email and embraced encrypted internal messaging services as a delivery mechanism. For example, hackers used stolen cookie files to perform an ATO of a user’s Slack account at Electronic Arts. This method allowed them to impersonate employees and convince IT to grant them a security token to access the company’s server. Two factors make impersonation scams like this easy to perpetrate: the enormous amount of stolen credentials available on criminal forums, and habitual password reuse. SpyCloud’s database of exposed user credentials reveals 72% of users in 2022 breaches were reusing previously exposed passwords. And with the recent increase in BEC attacks, the problem continues to get worse.
In our dataset, we also found 935,786 stolen assets from 87,741 exposed C-level employees at Fortune 1000 companies in 2022 alone. With so many executive credentials available to criminals on the dark web, the ability to know which of your employees’ credentials have been exposed and force them to do a password reset aligned with robust password security policies is a critical preventive measure for keeping business email accounts secure. Much like ransomware, a single compromised account can open the door to a successful BEC attack.
Additionally, monitoring the darknet for compromised credentials exposed in data breaches and exfiltrated by malware and taking the appropriate remediation actions can further fortify your organization against cyberattacks.
Monitor your corporate domain
Protect high-ranking executives
To add another layer of protection, consider monitoring personal accounts that fall outside of corporate control for any of your employees, board members, or executives that have privileged access that are highly sought after by criminals.
Implement identity-centric malware infection response
When a malware infection is detected, we recommend not only removing the malware from a device, but also incorporating Post-Infection Remediation steps to ensure all potentially exposed passwords are reset and active web sessions are invalidated, effectively addressing all entry points into your organization that are left open by these high-risk exposures.
As BEC remains a top threat vector, it is imperative that organizations heed the warning of preventing such attacks on their enterprise to reduce the risk of ransomware and fraud. With the proper measures in place, these costly attacks are preventable.