Business email compromise (BEC), also known as “CEO fraud,” is one of the most expensive forms of cyberattack, yet companies continue to overlook it as a significant and active threat to their bottom lines.
Traditionally, BEC is defined as a sophisticated form of phishing that involves the criminal taking over the email account of a high-ranking executive and using it to conduct social engineering attacks on other employees. The ultimate goal is to steal money, often through fraudulent wire transfers.
While ransomware receives the lion’s share of attention, BEC-related theft can be just as expensive as a ransomware demand, if not more so. According to IBM’s Cost of a Data Breach Report 2022, “BEC and phishing attacks led to the highest average breach costs—about $4.9 million per incident.” The FBI reports that BEC scams have cost businesses over $43 billion globally since 2016, making it one of the most costly forms of attack used by cybercriminals.
Recently, a growing number of BEC-style attacks have been moving to communication platforms other than email, such as SMS, messaging apps, social media and collaboration platforms like Slack. Some hackers are even combining deepfakes with BEC tactics on video conferencing platforms.
Over the coming year, risk managers should expect to see a surge in these new “hybrid BEC” attacks that will put their companies’ cybersecurity processes to the test. Here are key points for risk managers to be aware of:
1. There are many variations within these attacks. While account takeover and executive impersonation traditionally define BEC attacks, the risk has become more complicated as these attacks frequently deviate from the standard definition. Therefore, it is important for risk managers to understand that BEC is more of a concept than a specific act and to expect wide variations in real-world attacks.
For example, many BEC attacks use spoofing instead of actual account hacking. They may also skip the executive completely and use the account of a lower-ranking employee, IT personnel, third-party contractor, vendor or even a customer. They may target personal accounts instead of work accounts. Additionally, they often use means other than wire transfers to steal money. For instance, many cybercriminals these days are more partial to gift card payments because these cannot be canceled and are harder to trace. In some cases, BEC hackers may not even be after money at all. They may use these same tactics to steal information, such as client information, intellectual property or employee W2s.
2. BEC is a communication attack, not just an email threat. At their heart, BEC attacks are about exploiting trusted communications, not just email. This means any communication channel employees use in their professional or personal lives can be a target.
While corporate email has long been a focal point for BEC and other types of phishing scams, improvements in email security have made these attacks harder for cybercriminals. Since hackers often look for the path of least resistance, many are now expanding these scams to personal email accounts and other communications platforms. These platforms, including SMS, messaging apps, social media, video conferencing and collaboration platforms like Slack, often have little built-in scanning for malware or malicious messages and they are not able to detect a hijacked account. Most companies also lack sufficient monitoring of these platforms, which creates an enormous blind spot for potential attacks.
3. Mobile messaging attacks are on the rise. One of the most significant new forms of BEC is the mobile messaging attack, which became prevalent in 2022 as a wave of attacks targeted organizations both big and small. One of the most prominent cybercrime groups to use the mobile BEC attack is known as “0ktapus.” This group successfully targeted over 130 companies using these tactics, including many well-known brands like Twilio, Doordash and Mailchimp.
In a mobile BEC attack, the hacker uses SMS messages and/or messaging apps like WhatsApp to carry out a social engineering attack on employees. One of the most popular types of mobile BEC scams is the fake IT notification, where a hacker impersonates someone in the IT department and notifies the employee that they need to update or authenticate one of their important IT services, such as Office 365, identity management platforms, VPNs or remote access. The hacker may send a fake login link and will ultimately try to steal the employee’s password and two-factor authentication codes, giving the cybercriminal full access to the account and a backdoor into the company’s network.
These attacks can be difficult to detect, particularly when using SMS since text messages are not authenticated the same way emails are. Mobile carriers allow any phone number, including VoIP and fake phone numbers, to send text messages to a person’s phone without verification.
4. LinkedIn phishing scams are becoming increasingly common. In another variation of BEC scams, hackers now frequently use social media to carry out targeted spearphishing attacks on executives and key employees that can lead to data breaches through stolen credentials or malware.
This is especially common on LinkedIn, which presents an ideal platform for BEC attacks because it is an easy way for hackers to reach C-level executives, HR managers and sales teams directly without having to worry about whitelisting protections or spam filters. These attacks are becoming extremely sophisticated, with many hackers even using artificial intelligence tools to create “synthetic” headshots. Because this creates new images, they cannot be identified as fakes through reverse image searching online, though that is still a safety measure worth trying.
Organized criminals will take the time to create an authentic-looking LinkedIn profile, build a large network of business connections and approach their targets through a convincing pretext, such as a business referral, RFP, job recruitment or resume submission. They will frequently impersonate other business executives, headhunters or vendors.
Most of these attacks happen through LinkedIn direct messages, but the cybercriminal may push the victim to continue the conversation on a different platform like WhatsApp. Although LinkedIn scans for viruses in attached files sent through its messaging portal, sophisticated hackers may still be able to beat this security check.
5. Beware of virtual impersonation scams. Deepfake tools and other machine learning and artificial intelligence technologies are creating new possibilities for BEC attacks, but are still in their infancy. In 2022, the FBI issued multiple alerts about the rise in BEC-style scams taking place on video conferencing platforms like Zoom. By using deepfake tools, hackers can engage in live “virtual phishing” attacks on company employees by impersonating the CEO or other top executive in a fake meeting. Hackers are also exploiting the remote interview process by impersonating job candidates for IT positions and other sensitive roles in order to gain access to important company systems and information.
Businesses should also be aware of the potential for BEC “vishing” attacks that use audio deepfakes to impersonate the voice of an executive. This tactic is already being used by cybercriminals to steal money and information from companies. For example, in a case that was brought to light in 2021, fraudsters were able to steal $35 million after using forged email messages and deepfake audio to convince an employee of a United Arab Emirates company that a director requested the money as part of a corporate acquisition. Some cybercriminals are also using AI tools to launch targeted attacks on key executives, such as a 2019 case in which the attackers were able to mimic a CEO’s voice accurately enough to call the chief executive of a subsidiary and convince him to wire funds to another firm.
How to Minimize Your Company’s Risk
Hybrid BEC attacks will be challenging to prevent completely because they take advantage of trusted business relationships and communication channels to manipulate employees. They also exploit a growing vulnerability in corporate security programs created by the increasingly blurry lines between work and private life when it comes to digital communications and devices. However, companies can significantly reduce their risks by implementing a layered defense approach, which should be equal parts prevention and post-breach contingency planning.
The first step is for companies to address the blind spot in their communications. Strict policies should be in place for how employees use non-email platforms like messaging apps, texting, social media, video conferencing and collaboration platforms. These rules should clearly state what can and cannot be done on these platforms, what information (if any) can be shared, and with whom they can communicate. It is particularly important that sensitive tasks like payment authorizations, IT updates, password reset requests and document requests have a prescribed process that must be followed, and dual authentication should be mandated.
Since account takeovers are a common pathway for BEC hackers, all executives and employees should be educated on how to create strong, unique passwords for their personal email accounts, and how to enable multi-factor authentication protections. They should also understand the various ways hackers can steal these passwords, from tricking them with fake login pages to buying older passwords on the dark web and stealing session cookies for browser-based applications.
In addition to these preventive steps, companies also need to prepare for the possibility of a successful BEC attack. This means implementing a number of damage control measures, such as requiring encryption for documents shared over any digital platform. Then, if an employee’s account is hacked, the cybercriminal will not be able to access these files.
Additional measures companies should take to reduce their overall risk from BEC include implementing employee access controls, contractor/vendor security controls, rigorous cancellation of old/expired user accounts, network segmentation and data protection through backups and encryption.