Business Email Compromise attacks are on the rise

BEC campaigns continue to shift their targets from C-suite executives and finance employees to group mailboxes, says Abnormal Security.


Image: stevanovicigor, Getty Images/iStockphoto

The Business Email Compromise (BEC) is a particular type of phishing attack in which cybercriminals impersonate a trusted contact or other party, either internal or external. The goal is to convince the recipient to pay invoices, transfer funds, or provide other confidential information. By spoofing a trusted entity, the attackers are then able to capture the money or data released by the victim. A report released Thursday by security provider Abnormal Security examines the latest trends and tactics in BEC campaigns.

SEE: Cybersecurity: Let’s get tactical (free PDF) 

During the third quarter of 2020, the median number of BEC attacks received per company each week rose by 15% from the second quarter, according to the report. Among these, attacks that employed invoice or payment fraud jumped by 155%, making it the most pervasive type of BEC tactic.

Invoice and payment fraud is popular because it offers the greatest bang for the buck. Phony invoices deployed by attackers have led to some of the biggest financial losses associated with BEC. As businesses contend with thousands of vendors and invoices, paying a fake one without question or confirmation becomes all too easy.

The number of BEC campaigns seen last quarter rose for six out of the eight industries cited by Abnormal Security. These include Energy/Infrastructure, Services, Medical, Media/TV, Finance, and Hospitality. The number actually dropped in the Retail/Consumer Goods and Manufacturing and Technology sectors, but these two still tied for the highest volume of BEC attacks during the quarter.

Overall phishing attacks exploiting the coronavirus pandemic fell during the third quarter compared with the first half of the year. But invoice and payment fraud campaigns leveraging COVID-19 actually jumped by 81% during the quarter. Such campaigns take advantage of the uncertainty during the pandemic with fraudulent emails that highlight company audits and requests to settle outstanding invoices.


Example of COVID-19 related invoice fraud email.

Image: Abnormal Security

The intended victims of BEC also shifted last quarter. During the first half of 2020, BEC campaigns increasingly targeted finance employees at the same time they dropped against C-suite executives. In the third quarter, attacks against the C-suite remained the same but those against finance employees fell. Instead, cybercriminals turned more of their attention to group mailboxes, which were hit by the highest number of invoice and payment fraud attacks.

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

Like traditional phishing emails, BEC campaigns often spoof well-known brands to catch the attention of the recipient. Among the most impersonated brands, DHL took the top spot with fraudulent emails requesting payment for alleged shipments. Dropbox took second place, followed by Amazon, iCloud, and LinkedIn.


Image: Abnormal Security

Looking at the fourth quarter, Abnormal Security expects BEC to continue to grow as cybercriminals become more effective at thwarting secure email gateways. Invoice and payment fraud attempts that exploit COVID-19 will continue this quarter and on into next year. Finally, invoice and payment fraud campaigns that impersonate internal employees and third-party vendors will persist as the largest BEC threat to businesses.

SEE: FBI: Hospitals and healthcare providers face imminent ransomware threat (TechRepublic)

“It’s easy to take for granted that the vendor on the other end of the email thread is actually the same person you’ve known and communicated with for months if not years,” Ken Liao, VP of cybersecurity strategy at Abnormal Security, told TechRepublic.

“We trust those we know and have a history of doing business with,” Liao explained. “So, when it comes to preventing attacks from compromised vendors, don’t go on ‘auto’ mode. This is especially true for accounts payable departments. Scrutinize changes to financial processes before readily accepting them at face value. Cybercriminals tend to create mail rule changes to fork conversations from compromised accounts to impersonated ones, so when it comes to changes to financial processes, be extra mindful of the email headers and where the request is coming from.”