Ride the Lightning

The Cybercrime That Reaps the Most Money: Business Email Compromise

October 25, 2022

The Washington Post reported (gift article) on October 21 that business email compromises (BEC) account for billions in losses – and yet they get very little attention. The Post speculates it might be because of its lame-sounding acronym. Perhaps, but we can confirm, as regular lecturers on cybersecurity, that very few people know what BEC is.

In “business email compromise,” or BEC, criminals pose as someone a victim trusts, such as their company’s CEO or law firm’s managing partner, often by hacking them and taking over their email. The criminals send an urgent message to transfer money, which they then abscond with.

BEC regularly tops the FBI’s annual list of costliest internet crimes, which it collects from complaint data. In 2021, BEC accounted for approximately a third of the year’s $6.9 billion in cyber losses — around $2.4 billion. Ransomware lagged behind with just $50 million. A May FBI alert said the amount of BEC losses and attempted theft increased because of the coronavirus pandemic, which forced companies to conduct more routine business virtually.

During the second quarter of this year, cybersecurity company Arctic Wolf said the rate of BEC cases it responded to doubled, from 17 percent to 34 percent.

Why does BEC continue to thrive?

Most of what the BEC criminals do is “really easy,” and the techniques have been honed over time such that “they’re really just rinsing and repeating at this stage of BEC evolution,” Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, said.

It’s not hard to deploy malware that steals access to accounts and sends an email to a victim from that compromised account, he said. The hard part is setting up the bank accounts to move money around, he said, but gangs have figured out how to manage that.

The criminals also don’t have to target big companies to be effective, Kalember said.

“The truth is, they really don’t need the big fish most of the time. We have seen them, in fact, be very, very active in much smaller organizations that simply happen to be in sectors where lots of money is moved around solely based on digital communications and between parties that don’t necessarily know each other all that well,” Kalember said.

It’s also a kind of crime that takes advantage of people’s trust, Daniel Thanos, vice president of Arctic Wolf Labs, said. “Human nature sometimes is too trusting,” he said. “People also respond to urgency.”

It’s not entirely the fault of humans – the criminals are crafty about making the emails look authentic, sometimes using information they gleaned from social media to tailor their messages, Thanos said.

Unlike other cyber-related crimes, the victims don’t always know they’ve been hit until much later, Renals said. A ransomware attack encrypts an organization’s systems, grinding everything to a halt immediately. Law enforcement can help get ransom payments back, but by the time someone realizes they’ve been scammed by a BEC criminal, the money is usually long gone.

It’s not destructive, like a ransomware attack can be if it shuts down a hospitals’ systems. Because it doesn’t hit key systems, it’s not treated as any kind of national security threat, Renals said. Because of the “death by 1,000 papercuts” effect, the smaller heists that add up over time are also less likely to make news, he said.

Many of the thefts might not even get reported. Perhaps because being the victim of a BEC scam is potentially more embarrassing than suffering a ransomware attack, Renals said.

“With ransomware, they got into a vulnerability in your network. It happens,” he said. “With business email compromise … that is a very embarrassing story to say, ‘Hey, I got an email from the CEO that told me to transfer money and I did it.’ Nobody wants to own up to that because there’s more of a human aspect there.”

BEC also isn’t interesting in a technical way that might get a ton of attention from security researchers who would make headlines presenting about it at a high-profile cyber conference, Kalember said.

Some of the ways to defend against BEC are similar to the way anyone would defend against most cyberattacks, like using multi-factor authentication to protect email accounts.

Other defenses? “Have an actual process that is validated and tested for how you authorize funds to leave your company,” Renals said. “No funds should ever leave you just based off an email, right? There should be someone you call, there should be a piece of paper that has to be signed and physically handed.”

My advice is to have a clear process for wiring monies. If you can walk down the hall to get confirmation from a managing partner or CEO, that’s great. If not, you need to call the authorizing party at a number known by you to be genuine, to avoid audio deepfakes. Never call an unknown number given to you via phone, email or a text.

You would think this would be the policy everywhere – but it is not. And if it is, constant reminders of the policy are still imperative. Human beings forget – and they are vulnerable to worrying that a person in power needs something done immediately. All too easy to be sucked in by BEC schemes!

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson