Are BEC attacks on the rise?

NetworkTigers discusses the rise of BEC attacks (business email compromise attacks).

How quickly do you spot the difference between mkelley@gmail.com and mkelly@gmail.com? What would you do if a well-known client or vendor asked for a wire transfer by the end of the day, or if your HR manager emailed you directly saying they needed your personal information to complete your tax or hiring paperwork? 

These situations could easily cost you or your business thousands, or even hundreds of thousands of dollars. BEC attacks, or business email compromise attacks, are among some of the most effective and dangerous kinds of email phishing happening today. 

Are you at risk of a BEC attack? How can you respond to this particularly insidious kind of email phishing? What are the most common techniques scammers use to fool employees with a BEC attack? Learn the ways that BEC hacks work on their victims and how to protect yourself and your business. 

Understanding the psychology of BEC attacks

A BEC attack is one of the most effective kinds of cybercrime because it utilizes social engineering to cause harm. BEC attacks play upon our human desire to not make mistakes, and our drive to please. In a work environment, especially a fast-paced or high-stress one where asking questions is frowned upon, BEC attacks can wreak havoc more effectively than almost any other kind of email hack. 

Oftentimes BEC hackers pose as authority figures or those who we wouldn’t think to question. BEC attacks often accompany EAC, or email account compromise. In this sophisticated method of BEC hacking, the request for valuable information comes from a genuine email account, now manipulated and freely accessed by a cybercriminal. 

BEC attacks statistics

According to FBI data, BEC/EAC attacks accounted for close to $2.1 billion in losses in 2020. BEC/EAC, when spoofing attempts are accounted for, is estimated to cause approximately 64 times more damage than ransomware does in the US. 

More recently, BEC attacks have been on the rise. The FBI reports an 81% increase in BEC attacks between just the first and second half of 2022. Security center Abnormal’s research study shows that the median open rate for text-based BEC hacks is 28% among company employees. Of these opened malicious emails, an average of 15% receive responses. 

The data is clear on the risk of BEC attacks. While a business’s employees are its greatest asset, when it comes to addressing BEC attempts, they may also be the weakest link in its network security.

Common BEC risks

According to the FBI, the following are some of the most common BEC techniques to be aware of: 

1. Client impersonation: Whether by using fake emails or websites with just one letter moved or changed, BEC hackers prey upon information that we have already learned to trust. One common technique involves posing as a vendor or client and requesting payment be sent to a different account or address than usual.
2. Domain spoofing: Domain spoofing or lookalike domains can be hard to spot, but they are often a key element of convincing a BEC victim to trust that the communication they received is genuine. 
3. CEO fraud: Hackers often pose as authority figures within the company, such as a CEO, CFO, or head of a department in order to con employees into doing their bidding. These hacks can be particularly insidious when they coincide with times that sensitive personal or financial information might logically be requested, such as around tax season, during an onboarding period, or around a company trip. 
4. Grooming: Hackers may make their request right away, or they may wait to try and assuage their victim’s suspicions by building trust. Employees who respond to BEC attacks are likely to find themselves being groomed in order to reveal more information past the first breach, or send larger payments. 
5. Malware hacks: Many BEC attacks are accompanied by malware, making them formidable cybersecurity opponents. Opening an email from an unknown person can expose your company and your own account to both possible impersonation, as well as future BEC attempts. Many BEC hackers will use malware in order to learn personal or company information that can be used to bolster their future impersonation. At other times, malware may be used to infiltrate existing email threads, making a BEC request seem especially trustworthy. 

Protect yourself against a BEC attack

One of the most important things that a company can do to protect against the rising rate of BEC attacks is to train its employees to spot the signs of a BEC hack, and to be on the lookout for them. While legacy systems and implicit trust can make BEC hacks hard to spot, the FBI suggests the following techniques to protect against BEC attempts:

1. Look for small mistakes: A request from an American vendor with the date written in the British format can be a small clue that something is amiss. Likewise, many domain spoofing attempts will involve one misplaced letter or different ending to the address. 
2. Question time pressure: If a request must be fulfilled immediately, or by the end of the day, it may be worthwhile to first check to ensure that it is in fact genuine. 
3. Don’t share personal information on social media: Sharing personal information such as pets’ names, birthdays, and more can allow hackers a foothold into guessing passwords for your accounts. Similarly, sharing information about company trips or holiday events can help give a BEC hacker’s request authenticity if they then reference the publicly available information in their email or text. 
4. Fact check: Never respond to an unsolicited request to update or verify personal information from a financial institution. Likewise, instead of responding to an unknown text or callback number, first do an online search to ensure that the number is genuinely affiliated with the business. 
5. Use multi-factor authentication: Enabling multi-step authentication and other zero trust architecture techniques can stop BEC hacks before funds can be transferred, or sensitive data accessed. 

The bottom line? Know when to delete an email or a text from a suspicious source. Independent thinking may be one of the most powerful ways to fight back against this socially engineered hack that preys upon our group mentality and desire to please.