Business Email Compromise attacks have exploded in popularity. Gartner has found that BECs increased by nearly 100% in 2019 and through 2023, they predict that BEC attacks will continue to double each year, at a cost of over $5 billion to its victims.BEC can be incredibly difficult to stop. It's no surprise, then, that the Internet Crime Complaint Center (IC3) reported that, in 2020, they received 19,369 BEC complaints. The total losses? $1.8 billion.
BECs, according to Avanan research, make up 20.7% of all phishing attacks. They are popular and effective because they are simple. By spoofing a trusted user it requires no malware or malicious URL to convince a recipient to share valuable information or send significant amounts of money.
Starting in October 2021, Avanan observed a new BEC attack in which a hacker purports to be the CEO of a company, asking an underling for a favor. In this attack brief, Avanan will analyze the company’s most recent discovery of a new BEC attack.
Attack
In this attack, hackers are utilizing classic social engineering techniques to bypass email scanners and target end-users.
- Vector: Email
- Type: Business Email Compromise
- Techniques: Social Engineering
- Target: Lower-level employees
In this attack, a hacker spoofs an executive at a company. They ask for a “swift” response from a lower-level employee.
Email Example #1
In this email, hackers present an email that looks to come from a company president. They use traditional social engineering tactics, such as urgent language, to get the user to act:
This email purports to come from a CEO, asking for a favor.
Techniques
In this email attack, hackers utilized classic BEC techniques. The email starts by spoofing the CEO of a company. However, upon closer inspection, the email address is actually a Gmail address.
Additionally, there are no links present, making it difficult for traditional scanners to stop and for users to apply classic security awareness techniques.
Finally, because the email is coming from a higher-up, the expectation is that the recipient will reply quickly. From there, the hacker has the recipient’s attention and can ask for something sensitive, like money or data.
Best Practices: Guidance and Recommendations
In order to guard against these attacks, security professionals can do the following:
- Always check sender address to ensure that it’s legitimate
- Utilize an email security solution that has internal email protection, offers account takeover protection and uses advanced machine learning for internal context
