Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/23/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Business Email Compromise: Thinking Beyond Wire Transfers

As BEC continues to drive record-high losses, cybercriminals devise new tactics for swindling corporate targets out of millions.

Business email compromise (BEC) continues to evolve as a prominent enterprise threat as cybercriminals adopt new tactics to manipulate employees into sending funds their way. They've learned from their mistakes to become more advanced and harder to detect.

The number of reports describing BEC incidents has rapidly grown from a monthly average of nearly 500 in 2016 to more than 1,100 in 2018, the Financial Crime Enforcement Network (FinCEN) says in its July 2019 Financial Trend Analysis. The total value of attempted BEC threats climbed from an average of $110 million per month in 2016 to $301 million per month in 2018.

In a July 2018 advisory, the FBI's Internet Crime Complaint Center (IC3) dubbed BEC "the 12 billion dollar scam" and cited a 136% increase in identified global exposed losses (including actual losses and attempted thefts) between December 2016 and May 2018. Indeed, the domestic and international exposed dollar loss between October 2013 and May 2018 totaled $12.5 billion.

As the losses climbed, so too did attempted BEC scams. The average daily volume of BEC emails reached 128,700 in the first quarter of 2019, a 50% year-over-year increase from 85,816 in 2018, Symantec says in a new blog post detailing modern BEC threats. An average of 6,029 organizations were targeted each month between July 2018 and June 2019; marking a slight decrease from the 6,089 businesses targeted in the 12 months prior, researchers found.

But that doesn't mean cybercriminals are holding back — they're simply getting smarter about how they craft BEC messages and who receives them. Here is an updated look at modern BEC threats:

Who They're Targeting
Manufacturing and construction firms were the top targets for BEC fraud in 2017 and 2018, when they made up 25% of all BEC incidents, with an average transaction amount of $53,728. Commercial services such as landscaping, retail, and lodging were up 6%, more than other industries, while financial firms dropped from 16% in 2017 to 9% in 2018. At the same time, real estate services increased as a target, going from 9% of incidents in 2017 to 16% in 2018.

Construction may seem an odd choice to outsiders but an appealing one for scammers. Manufacturing firms regularly interact with overseas suppliers, which may require wire transfers for payment, and they display publicly available client information. The US was the top BEC victim region with 39% of all threats, Symantec reports, followed by the UK (26%).

Real estate is growing as a target due to frequent high-dollar transactions and a growing market. Still, industries common in a specific state are the more frequently targeted in that state: finance firms are often hit in New York, manufacturing and construction in Texas.

Data shows attackers are shifting strategies as awareness of their schemes continues to grow. One-third of BEC scams in 2017 involved fake emails impersonating the CEO or president of a company; this fell to 12% in 2018. Now that leaders are wary of threats like these, attackers are looking for more lower-level employees who they can manipulate into fulfilling their requests.

"It's expanding to new people that are targeted, but also new schemes of getting money from them," says Candid Wueest, senior principal threat manager at Symantec. Now they're going after personal assistants in the finance, accounts payable, and human resources departments.

How They're Targeting
Fraudulent vendor or client invoices made up 30% of incidents in 2017 and 39% in 2018, FinCEN found. Part of the reason is financial gain: The average transaction amount for BECs impersonating an invoice was $125,439, compared with $50,373 for impersonating a CEO. BEC fraud using a fake invoice accounted for 30% of total transactions but 41% of total transaction amounts — the highest among the different types of BEC scams that FinCEN observed.

"That's a spin-off that isn't targeted against CEOs but could target anyone out there," Wueest says. If attackers can break into a corporate email account and obtain a copy of an invoice, they can copy it, add their own banking details, and send it the following month a few days earlier than the company would typically receive it. "Those are very convincing," he adds.

Gift cards are another increasingly popular way for BEC scammers to gain funds, Symantec says. Scammers request potential victims to purchase physical and electronic iTunes gift cards, Amazon gift cards, and generic gift cards for clients and partners. Victims receive a spoofed email, call, or text from a person of authority requesting they buy the cards to distribute to employees.

Those who take the bait send the cards back to the attackers, who resell them online for profit. Gift cards require less setup, Wueest explains, and can't be linked to the perpetrators. "They're not using it themselves because, of course, those vouchers have a serial number that can be traced. If they did use it themselves, there's the risk they might be shut down or prosecuted." Wire transfer requests remain popular for their financial gain, but they require more work.

Scammers are also building on previous interactions, chatting with employees, and doing their homework. "One of the things that definitely stood out to me was it's no longer just about transferring the money and doing wire transactions, as it has been in the past," says Wueest. "We can see they do a lot of social engineering and don't put everything in the first email."

Today's BEC scammers start small: "Hey, I need a favor" or "Hey, are you at your desk?" are common openers, he notes. Attackers appear casual at first to build trust. After a few back-and-forth emails, they have a better sense of whether an employee will do what they ask. Some ask for the victim's phone number so they can follow up to send payment details via text.

Wueest recommends businesses double-check suspicious emails, especially if they come from free accounts on Gmail, Yahoo, or AOL. They should also create an environment in which employees aren't afraid to verify emails containing popular BEC keywords — "Urgent," for example, and anything related to payments — or ask leadership if they're legitimate.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.