One of the most financially devastating attacks is Business Email Compromise (BEC). In 2021, the FBI found that BEC-related complaints added up to $2.4 billion. For context, in 2016, that number was just $360 million. That 2021 number is likely an undercount.
BEC is tough to grasp because it’s more than just one attack. It’s an array of attacks, always with the idea of leveraging something that appears legitimate to get the end-user to do something they don’t want.
We’ve been tracking BEC attacks for years and see them regularly today. What we’ve noticed is that there’s been a general evolution of BEC.
First, there was BEC 1.0. This again encompassed a lot of things, but in general, it worked like this:
- A hacker poses as your boss, usually spoofing the boss’s email address (like firstname.lastname@example.org instead of email@example.com)
- There’s a simple question, usually going like this: “Hey, I’m in an urgent meeting, can you please get some gift cards for this customer?”
- For the most part, end-users can use basic email security hygiene to identify these attacks, including looking at the sender’s address or asking the boss outside of email if this is legitimate.
Then, hackers evolved to BEC 2.0. Most attacks today–including today’s attack brief–are in this category. Here’s how it works:
- A hacker compromises an account, either at your organization or, more likely, a partner's organization.
- They use that account to insert themselves into legitimate email threads, responding as if they were employees
- If it involves an invoice, they can tweak the bank information, and the money will be routed into their account. The end-user is none the wiser.
What we’ve seen emerge is BEC 3.0. This has yet to be the dominant BEC variant, but we believe it will be in the next few months. Here’s how it works:
- Hackers are using actual services to unleash the attack
- Hackers will create a legitimate account in PayPal or QuickBooks, or RingCentral and use that to release the attack
- Essentially, you no longer get a fake invoice; you get a legit invoice from QuickBooks with a fraudulent configuration
These attacks are incredibly difficult for users and tools to uncover because the sender’s reputation and email format is perfect. PayPal is a legitimate service; it will pass all sender reputation checks, and Natural Language Processing will not notice the difference.
Today’s attack is an example of conversation hijacking. An account was compromised. The hacker used that to insert themselves into a conversation to direct legitimate funds to a different bank account.
In this attack brief, researchers at Avanan, a Check Point Software company, will discuss how threat actors use undelivered messages to trick users into handing over money.
In this attack, hackers compromise an account and forward legitimate undelivered messages to end-users to trick accounting teams into sending unwanted payments.
- Vector: Email
- Type: Phishing
- Techniques: BEC
- Target: Any end-user
Email Example #1
This email starts innocently enough. It’s a forwarded email from a compromised account from someone in accounting. The forward email is an old email of an invoice that was “never” successfully paid, and thus the payment needs to be remitted immediately. This email example showcases conversation hijacking.
When opening the attachment, which is just an .eml file, the end-user will see an issue with sending a pay stub remittance. The message had a “problem with the recipient” mailbox. They’ll notice that a pay stub still needs to be paid. Here, the user has a choice. They can either immediately pay the invoice, which would go to the hacker since they’ve changed the details on the remittance form. Or, they can go into their procurement system and look up the payment details. Most likely, they’ll see that it’s already been paid.
It’s just a created message to show the intended recipient that they have to repay this invoice.
This BEC attack starts like many do–with a compromised account. Catching compromised accounts can be difficult, but it helps to have AI and ML that can profile the user’s baseline and see when something is amiss. Being able to do that across the entire SaaS portfolio helps too.
This account was compromised, and hackers began sending timely emails. In this case, they highlight to the accounting department that a payment remittance may have yet to get through to its intended recipient.
Here, the end-user has a choice. End-users can look up that invoice in their system. If it exists, which it likely does, they may go ahead and pay it. A better solution will be to ask the sender–ideally in person–if this is a legitimate email. Otherwise, the hacker may have the end-user right where they want them.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Create processes for employees to follow when paying invoices or entering credentials
- Implement advanced security that looks at more than one indicator to determine if an email is clean or not