The Colonial Pipeline and JBS are up and running again, but only after both companies handed over millions in ransom payments– $4.4 million and $11 million, respectively – to a bunch of crooks. Payouts like these bump ransomware to the top of the cybercrime news cycle. And while ransomware is an undeniable threat to businesses, it steals the spotlight from another, more consistently damaging threat: business email compromise (BEC).
Despite being one of the oldest tricks in the cybercrime playbook – the “Nigerian prince email scam” of the 90s arguably the most famous – BEC comprised 43% of all losses in the US last year compared to 1% from ransomware. 86 percent of financial institutions say BEC is their greatest threat in the coming two years, and the likelihood that companies will be attacked via vendor email compromise (VEC) increased 82% following the SolarWinds hack.
Stats from the FBI’s latest Internet Crime Report:
Total losses from BEC in 2020
Average losses per BEC incident
BEC complaints received in 2020
Why do we keep falling for BEC scams?
BEC has been around for so long that you can’t help but wonder why employees keep falling for these scams? In large part, it’s because the business world is practically set up to encourage it. The emphasis on increased productivity and automated business workflows means people perform a lot of repetitive tasks in a hurry, and rely on software to do the rest. Business processes like this open gaps for the type of social manipulation BEC thrives on. Payroll diversion fraud, for example, exploits human nature by impersonating employees well enough to pass quick visual scans by the recipient in HR. Once a request is okayed by the recipient, context-free workflows update direct deposit information to reroute payment to a criminal-controlled account or gift card, with no questions asked. Payroll diversion scams like this are so successful that they spiked 333% in the last half of 2020.
It makes sense that the most-targeted departments in any business would be the ones through which money passes. Accounts Payable is 61% more likely than other departments to be the target of BEC/VEC scams. For AP teams, working from home has made it challenging to get payments out to suppliers securely. Much like payroll diversion, the increased pressure on accounts payable combined with fragile network security and unfamiliar workflows left openings for fraudsters to take advantage of the disruption. According to the Association of Certified Fraud Examiners’s (ACFE) Fraud in the Wake of COVID-19 Benchmarking Report, 90% of the 2000+ respondents had seen increased cyber fraud during the July-August 2020 time period.
BEC is the number one way businesses become victims of fraud. It exploits people, which makes it cyber-by-association and therefore difficult to detect and even more difficult to stop altogether. Worse yet, it’s evolved beyond email and embraced encrypted internal messaging services as a delivery mechanism. Recently, hackers used stolen cookie files to perform an Account Takeover (ATO) of a user’s Slack account at Electronic Arts. This method allowed them to impersonate employees and convince IT to grant them a security token to access the company’s server. Two factors make impersonation scams like this easy to perpetrate: the enormous amount of stolen credentials available on criminal forums, and habitual password reuse. SpyCloud’s database of exposed user credentials reveals an all-time password reuse rate of 57% – and a 60% password reuse rate for breaches collected in 2020. The problem is only getting worse.
With so many credentials already available to criminals on the dark web, the ability to know which of your employees’ credentials have been exposed and force them to do a password reset observing NIST guidelines is a critical preventive measure for keeping business email accounts secure. Much like ransomware, a single compromised account can open the door to a successful BEC attack. Organizations cannot expect employees to do their jobs well and be watchdogs at the same time. But they can force them to be better stewards of their corporate credentials.