How companies can get a grip on ‘business email compromise’

• More use of SaaS applications means employee business accounts are being targeted for “business email compromise” (BEC).BEC has evolved from basic email phishing scams to more sophisticated iterations, including invoice scams.A multi-faceted safeguarding approach to combat BEC combines advanced technology, employee education and strict data and payment policies.

In an era defined by digital connectivity and hybrid working, cyber threats have become an occupational hazard. No matter how large or small, every business is vulnerable to cyberattacks and data breaches. While breach threats to enterprise network security still exist, remote working and moving to cloud-based SaaS applications have led to more attacks that focus on compromising employees’ business accounts. A compromised account gives the hacker access to sensitive data and a foothold for further attacks against other employees and business partners.The delivery methods vary but the most exploited vector is email as a vehicle for a credential harvesting phishing campaign. Phishing, in general, has grown in scale and sophistication in recent years, with the most damaging form of phishing from a financial perspective being “business email compromise” (BEC). According to Check Point Research, credential harvesting makes up about 15% of all email-based attacks but is the most financially damaging category

BEC is a form of phishing where threat actors use an apparently legitimate email address to trick employees into doing something they shouldn’t. The email address will look like the real one with perhaps one letter off or come from a free Gmail account instead of the company domain.One of the most common instances of a BEC is an invoice scam, involving hackers very convincingly posing as a vendor and submitting a fake invoice from a seemingly genuine email address. The recipient of that email – likely someone working in the accounts department – will see it as just another invoice and often pay it without too much scrutiny.Another form of BEC is CEO fraud, in which an attacker poses as the CEO and requests an employee make a wire transfer on their behalf or share sensitive company data outside of the secured network. Cybercriminals make great efforts to make the scams as convincing as possible. They often leverage a similar email address and carry out research to “sound” more like the CEO in communications. By invoking an urgent request from the CEO, scammers hope to leverage urgency and fear to accomplish their goals.Payroll fraud is another widespread use of BEC, where attackers will pose as an employee and ask somebody in HR to change their direct deposit information, effectively stealing employees’ salaries.According to the FBI, there were more than 20,000 incidents of BEC in 2022 in the United States, totalling $2.7 billion in losses and that’s just what has been reported. The actual number is likely to be significantly higher.

BEC has become more sophisticated over the years and we are currently in the “BEC 3.0” generation, with over 40,000 of these attacks taking place in the first two months of 2023 alone.BEC 1.0 occurred during the pandemic as criminals sought to exploit new distributed working environments. Remote employees were more vulnerable to phishing attacks and created more opportunities for impersonation. In BEC 1.0, the sender email impersonates a colleague, a partner organization or a known brand.In one of the most common forms of attack, hackers impersonate a CEO, often with a generic Gmail address, instructing employees to buy gift cards for a vendor. Many of these emails are text-only, which requires eagle-eyed users and the sophisticated use of artificial intelligence (AI) and machine learning to disrupt. BEC 1.0 continued but with better-educated end-users and more email security layers tuned to detect and block these attacks, their effectiveness has declined.In BEC 2.0, emails come from a compromised account. The account could be within the same company or a compromised partner, with hackers pretending to be business representatives to run invoice scams or gain access to employee information and other sensitive data. This iteration represented a step up in complexity because it comes from a legitimate partner account being compromised. Often, the attackers can use existing threads from the partner or wait for the right opportunity within a legitimate conversation to try and hijack the conversation and attempt to monetize on the compromised account.This year, we’ve seen a third wave. In BEC 3.0, hackers send real notifications from legitimate SaaS services and websites such as QuickBooks, Zoom or SharePoint. On the surface, there is nothing illegitimate or suspicious about these communications because they are sent directly from the site in question.Hackers can also achieve accurate impersonation with identical or similar names to the attacked organization. To carry out the attack, they include a phone number in the invoice that directs to a fake support team, which leads to a convincing scam call. Check Point Research detected nearly 40,000 of these attacks in the first two months of 2023.

Safeguarding against BEC requires a multi-faceted approach that combines advanced technology, employee education, and strict data and payment policies.

Education

Organizations must invest in comprehensive employee education programmes enabling staff to recognize and respond to BEC threats effectively. Employees need to pause and think about the context of the email and whether it feels right. If it doesn’t, it likely isn’t. By understanding the tactics employed by cybercriminals, employees can minimize the risk of falling victim to BEC schemes.

Automated warning

Anti-phishing protections serve as a crucial line of defence, employing sophisticated artificial intelligence (AI) algorithms to understand the email language, context and relationship between sender and recipient and to compare its findings with baseline communications. The AI can detect red flags like mismatched sender addresses, compromised phone numbers and changes to the writing style – leveraging multiple AI models can identify signs of an attack.

Multi-factor authentication

Finally, implementing strict data and payment policies that require multiple verification steps for money transfers or data sharing is essential. By implementing these measures, businesses can fortify their defences, ensuring that invoices and sensitive information reach their intended