Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/23/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Business Email Compromise: Thinking Beyond Wire Transfers

As BEC continues to drive record-high losses, cybercriminals devise new tactics for swindling corporate targets out of millions.

Business email compromise (BEC) continues to evolve as a prominent enterprise threat as cybercriminals adopt new tactics to manipulate employees into sending funds their way. They've learned from their mistakes to become more advanced and harder to detect.

The number of reports describing BEC incidents has rapidly grown from a monthly average of nearly 500 in 2016 to more than 1,100 in 2018, the Financial Crime Enforcement Network (FinCEN) says in its July 2019 Financial Trend Analysis. The total value of attempted BEC threats climbed from an average of $110 million per month in 2016 to $301 million per month in 2018.

In a July 2018 advisory, the FBI's Internet Crime Complaint Center (IC3) dubbed BEC "the 12 billion dollar scam" and cited a 136% increase in identified global exposed losses (including actual losses and attempted thefts) between December 2016 and May 2018. Indeed, the domestic and international exposed dollar loss between October 2013 and May 2018 totaled $12.5 billion.

As the losses climbed, so too did attempted BEC scams. The average daily volume of BEC emails reached 128,700 in the first quarter of 2019, a 50% year-over-year increase from 85,816 in 2018, Symantec says in a new blog post detailing modern BEC threats. An average of 6,029 organizations were targeted each month between July 2018 and June 2019; marking a slight decrease from the 6,089 businesses targeted in the 12 months prior, researchers found.

But that doesn't mean cybercriminals are holding back — they're simply getting smarter about how they craft BEC messages and who receives them. Here is an updated look at modern BEC threats:

Who They're Targeting
Manufacturing and construction firms were the top targets for BEC fraud in 2017 and 2018, when they made up 25% of all BEC incidents, with an average transaction amount of $53,728. Commercial services such as landscaping, retail, and lodging were up 6%, more than other industries, while financial firms dropped from 16% in 2017 to 9% in 2018. At the same time, real estate services increased as a target, going from 9% of incidents in 2017 to 16% in 2018.

Construction may seem an odd choice to outsiders but an appealing one for scammers. Manufacturing firms regularly interact with overseas suppliers, which may require wire transfers for payment, and they display publicly available client information. The US was the top BEC victim region with 39% of all threats, Symantec reports, followed by the UK (26%).

Real estate is growing as a target due to frequent high-dollar transactions and a growing market. Still, industries common in a specific state are the more frequently targeted in that state: finance firms are often hit in New York, manufacturing and construction in Texas.

Data shows attackers are shifting strategies as awareness of their schemes continues to grow. One-third of BEC scams in 2017 involved fake emails impersonating the CEO or president of a company; this fell to 12% in 2018. Now that leaders are wary of threats like these, attackers are looking for more lower-level employees who they can manipulate into fulfilling their requests.

"It's expanding to new people that are targeted, but also new schemes of getting money from them," says Candid Wueest, senior principal threat manager at Symantec. Now they're going after personal assistants in the finance, accounts payable, and human resources departments.

How They're Targeting
Fraudulent vendor or client invoices made up 30% of incidents in 2017 and 39% in 2018, FinCEN found. Part of the reason is financial gain: The average transaction amount for BECs impersonating an invoice was $125,439, compared with $50,373 for impersonating a CEO. BEC fraud using a fake invoice accounted for 30% of total transactions but 41% of total transaction amounts — the highest among the different types of BEC scams that FinCEN observed.

"That's a spin-off that isn't targeted against CEOs but could target anyone out there," Wueest says. If attackers can break into a corporate email account and obtain a copy of an invoice, they can copy it, add their own banking details, and send it the following month a few days earlier than the company would typically receive it. "Those are very convincing," he adds.

Gift cards are another increasingly popular way for BEC scammers to gain funds, Symantec says. Scammers request potential victims to purchase physical and electronic iTunes gift cards, Amazon gift cards, and generic gift cards for clients and partners. Victims receive a spoofed email, call, or text from a person of authority requesting they buy the cards to distribute to employees.

Those who take the bait send the cards back to the attackers, who resell them online for profit. Gift cards require less setup, Wueest explains, and can't be linked to the perpetrators. "They're not using it themselves because, of course, those vouchers have a serial number that can be traced. If they did use it themselves, there's the risk they might be shut down or prosecuted." Wire transfer requests remain popular for their financial gain, but they require more work.

Scammers are also building on previous interactions, chatting with employees, and doing their homework. "One of the things that definitely stood out to me was it's no longer just about transferring the money and doing wire transactions, as it has been in the past," says Wueest. "We can see they do a lot of social engineering and don't put everything in the first email."

Today's BEC scammers start small: "Hey, I need a favor" or "Hey, are you at your desk?" are common openers, he notes. Attackers appear casual at first to build trust. After a few back-and-forth emails, they have a better sense of whether an employee will do what they ask. Some ask for the victim's phone number so they can follow up to send payment details via text.

Wueest recommends businesses double-check suspicious emails, especially if they come from free accounts on Gmail, Yahoo, or AOL. They should also create an environment in which employees aren't afraid to verify emails containing popular BEC keywords — "Urgent," for example, and anything related to payments — or ask leadership if they're legitimate.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10759
PUBLISHED: 2019-10-15
safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
CVE-2019-10760
PUBLISHED: 2019-10-15
safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
CVE-2019-17397
PUBLISHED: 2019-10-15
In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-12944
PUBLISHED: 2019-10-15
Glue Smart Lock 2.7.8 devices do not properly block guest access in certain situations where the network connection is unavailable.
CVE-2019-17195
PUBLISHED: 2019-10-15
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.