Business email compromise (BEC) continues to evolve as a prominent enterprise threat as cybercriminals adopt new tactics to manipulate employees into sending funds their way. They've learned from their mistakes to become more advanced and harder to detect.
The number of reports describing BEC incidents has rapidly grown from a monthly average of nearly 500 in 2016 to more than 1,100 in 2018, the Financial Crime Enforcement Network (FinCEN) says in its July 2019 Financial Trend Analysis. The total value of attempted BEC threats climbed from an average of $110 million per month in 2016 to $301 million per month in 2018.
In a July 2018 advisory, the FBI's Internet Crime Complaint Center (IC3) dubbed BEC "the 12 billion dollar scam" and cited a 136% increase in identified global exposed losses (including actual losses and attempted thefts) between December 2016 and May 2018. Indeed, the domestic and international exposed dollar loss between October 2013 and May 2018 totaled $12.5 billion.
As the losses climbed, so too did attempted BEC scams. The average daily volume of BEC emails reached 128,700 in the first quarter of 2019, a 50% year-over-year increase from 85,816 in 2018, Symantec says in a new blog post detailing modern BEC threats. An average of 6,029 organizations were targeted each month between July 2018 and June 2019; marking a slight decrease from the 6,089 businesses targeted in the 12 months prior, researchers found.
But that doesn't mean cybercriminals are holding back — they're simply getting smarter about how they craft BEC messages and who receives them. Here is an updated look at modern BEC threats:
Who They're Targeting
Manufacturing and construction firms were the top targets for BEC fraud in 2017 and 2018, when they made up 25% of all BEC incidents, with an average transaction amount of $53,728. Commercial services such as landscaping, retail, and lodging were up 6%, more than other industries, while financial firms dropped from 16% in 2017 to 9% in 2018. At the same time, real estate services increased as a target, going from 9% of incidents in 2017 to 16% in 2018.
Construction may seem an odd choice to outsiders but an appealing one for scammers. Manufacturing firms regularly interact with overseas suppliers, which may require wire transfers for payment, and they display publicly available client information. The US was the top BEC victim region with 39% of all threats, Symantec reports, followed by the UK (26%).
Real estate is growing as a target due to frequent high-dollar transactions and a growing market. Still, industries common in a specific state are the more frequently targeted in that state: finance firms are often hit in New York, manufacturing and construction in Texas.
Data shows attackers are shifting strategies as awareness of their schemes continues to grow. One-third of BEC scams in 2017 involved fake emails impersonating the CEO or president of a company; this fell to 12% in 2018. Now that leaders are wary of threats like these, attackers are looking for more lower-level employees who they can manipulate into fulfilling their requests.
"It's expanding to new people that are targeted, but also new schemes of getting money from them," says Candid Wueest, senior principal threat manager at Symantec. Now they're going after personal assistants in the finance, accounts payable, and human resources departments.
How They're Targeting
Fraudulent vendor or client invoices made up 30% of incidents in 2017 and 39% in 2018, FinCEN found. Part of the reason is financial gain: The average transaction amount for BECs impersonating an invoice was $125,439, compared with $50,373 for impersonating a CEO. BEC fraud using a fake invoice accounted for 30% of total transactions but 41% of total transaction amounts — the highest among the different types of BEC scams that FinCEN observed.
"That's a spin-off that isn't targeted against CEOs but could target anyone out there," Wueest says. If attackers can break into a corporate email account and obtain a copy of an invoice, they can copy it, add their own banking details, and send it the following month a few days earlier than the company would typically receive it. "Those are very convincing," he adds.
Gift cards are another increasingly popular way for BEC scammers to gain funds, Symantec says. Scammers request potential victims to purchase physical and electronic iTunes gift cards, Amazon gift cards, and generic gift cards for clients and partners. Victims receive a spoofed email, call, or text from a person of authority requesting they buy the cards to distribute to employees.
Those who take the bait send the cards back to the attackers, who resell them online for profit. Gift cards require less setup, Wueest explains, and can't be linked to the perpetrators. "They're not using it themselves because, of course, those vouchers have a serial number that can be traced. If they did use it themselves, there's the risk they might be shut down or prosecuted." Wire transfer requests remain popular for their financial gain, but they require more work.
Scammers are also building on previous interactions, chatting with employees, and doing their homework. "One of the things that definitely stood out to me was it's no longer just about transferring the money and doing wire transactions, as it has been in the past," says Wueest. "We can see they do a lot of social engineering and don't put everything in the first email."
Today's BEC scammers start small: "Hey, I need a favor" or "Hey, are you at your desk?" are common openers, he notes. Attackers appear casual at first to build trust. After a few back-and-forth emails, they have a better sense of whether an employee will do what they ask. Some ask for the victim's phone number so they can follow up to send payment details via text.
Wueest recommends businesses double-check suspicious emails, especially if they come from free accounts on Gmail, Yahoo, or AOL. They should also create an environment in which employees aren't afraid to verify emails containing popular BEC keywords — "Urgent," for example, and anything related to payments — or ask leadership if they're legitimate.