Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:45 PM
Connect Directly

Business Email Compromise: Thinking Beyond Wire Transfers

As BEC continues to drive record-high losses, cybercriminals devise new tactics for swindling corporate targets out of millions.

Business email compromise (BEC) continues to evolve as a prominent enterprise threat as cybercriminals adopt new tactics to manipulate employees into sending funds their way. They've learned from their mistakes to become more advanced and harder to detect.

The number of reports describing BEC incidents has rapidly grown from a monthly average of nearly 500 in 2016 to more than 1,100 in 2018, the Financial Crime Enforcement Network (FinCEN) says in its July 2019 Financial Trend Analysis. The total value of attempted BEC threats climbed from an average of $110 million per month in 2016 to $301 million per month in 2018.

In a July 2018 advisory, the FBI's Internet Crime Complaint Center (IC3) dubbed BEC "the 12 billion dollar scam" and cited a 136% increase in identified global exposed losses (including actual losses and attempted thefts) between December 2016 and May 2018. Indeed, the domestic and international exposed dollar loss between October 2013 and May 2018 totaled $12.5 billion.

As the losses climbed, so too did attempted BEC scams. The average daily volume of BEC emails reached 128,700 in the first quarter of 2019, a 50% year-over-year increase from 85,816 in 2018, Symantec says in a new blog post detailing modern BEC threats. An average of 6,029 organizations were targeted each month between July 2018 and June 2019; marking a slight decrease from the 6,089 businesses targeted in the 12 months prior, researchers found.

But that doesn't mean cybercriminals are holding back — they're simply getting smarter about how they craft BEC messages and who receives them. Here is an updated look at modern BEC threats:

Who They're Targeting
Manufacturing and construction firms were the top targets for BEC fraud in 2017 and 2018, when they made up 25% of all BEC incidents, with an average transaction amount of $53,728. Commercial services such as landscaping, retail, and lodging were up 6%, more than other industries, while financial firms dropped from 16% in 2017 to 9% in 2018. At the same time, real estate services increased as a target, going from 9% of incidents in 2017 to 16% in 2018.

Construction may seem an odd choice to outsiders but an appealing one for scammers. Manufacturing firms regularly interact with overseas suppliers, which may require wire transfers for payment, and they display publicly available client information. The US was the top BEC victim region with 39% of all threats, Symantec reports, followed by the UK (26%).

Real estate is growing as a target due to frequent high-dollar transactions and a growing market. Still, industries common in a specific state are the more frequently targeted in that state: finance firms are often hit in New York, manufacturing and construction in Texas.

Data shows attackers are shifting strategies as awareness of their schemes continues to grow. One-third of BEC scams in 2017 involved fake emails impersonating the CEO or president of a company; this fell to 12% in 2018. Now that leaders are wary of threats like these, attackers are looking for more lower-level employees who they can manipulate into fulfilling their requests.

"It's expanding to new people that are targeted, but also new schemes of getting money from them," says Candid Wueest, senior principal threat manager at Symantec. Now they're going after personal assistants in the finance, accounts payable, and human resources departments.

How They're Targeting
Fraudulent vendor or client invoices made up 30% of incidents in 2017 and 39% in 2018, FinCEN found. Part of the reason is financial gain: The average transaction amount for BECs impersonating an invoice was $125,439, compared with $50,373 for impersonating a CEO. BEC fraud using a fake invoice accounted for 30% of total transactions but 41% of total transaction amounts — the highest among the different types of BEC scams that FinCEN observed.

"That's a spin-off that isn't targeted against CEOs but could target anyone out there," Wueest says. If attackers can break into a corporate email account and obtain a copy of an invoice, they can copy it, add their own banking details, and send it the following month a few days earlier than the company would typically receive it. "Those are very convincing," he adds.

Gift cards are another increasingly popular way for BEC scammers to gain funds, Symantec says. Scammers request potential victims to purchase physical and electronic iTunes gift cards, Amazon gift cards, and generic gift cards for clients and partners. Victims receive a spoofed email, call, or text from a person of authority requesting they buy the cards to distribute to employees.

Those who take the bait send the cards back to the attackers, who resell them online for profit. Gift cards require less setup, Wueest explains, and can't be linked to the perpetrators. "They're not using it themselves because, of course, those vouchers have a serial number that can be traced. If they did use it themselves, there's the risk they might be shut down or prosecuted." Wire transfer requests remain popular for their financial gain, but they require more work.

Scammers are also building on previous interactions, chatting with employees, and doing their homework. "One of the things that definitely stood out to me was it's no longer just about transferring the money and doing wire transactions, as it has been in the past," says Wueest. "We can see they do a lot of social engineering and don't put everything in the first email."

Today's BEC scammers start small: "Hey, I need a favor" or "Hey, are you at your desk?" are common openers, he notes. Attackers appear casual at first to build trust. After a few back-and-forth emails, they have a better sense of whether an employee will do what they ask. Some ask for the victim's phone number so they can follow up to send payment details via text.

Wueest recommends businesses double-check suspicious emails, especially if they come from free accounts on Gmail, Yahoo, or AOL. They should also create an environment in which employees aren't afraid to verify emails containing popular BEC keywords — "Urgent," for example, and anything related to payments — or ask leadership if they're legitimate.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.