Last year the FBI registered over 21,000 complaints about business email fraud, with adjusted losses of over $2.7 billion. Today this line of attack shows no sign of slowing down. Business email compromise (BEC) techniques are increasingly sophisticated; cybercrime-as-a-service (CasS) has lowered the barrier to entry for threat actors while also making it easier to evade “impossible travel” alerts, among other safeguards.
BEC is a confidence game. The technology aspects — links that download malware, take users to spoofed sites, or motivate a financial transaction — require social engineering to gain trust and motivate a click.
What are threat actors looking for? Along with useful data like employee records, payroll information, and proprietary business records, BEC actors want to convince someone to fulfill a request for payment or funds transfer using messages that look legitimate, with logos and designs that are copies of the real thing.
With BEC fast becoming a specialty of cybercriminals, security teams need to stay ahead of these evolving threats. Through a combination of technology, policy, and culture, enterprise security teams can help preempt attacks and mitigate the risks of email fraud. Let’s look at how BEC works, along with six key steps to mitigate the risk.
As-a-Service Fuels BEC Growth
Phishing-as-a-service providers make it easy for threat actors to produce effective, authentic-looking BEC campaigns without needing high-level tech skills of their own. Criminal platforms, such as BulletProftLink, go even further, selling templates, automated services, and even a hosting platform. This not only opens up BEC as an avenue to any criminal organization willing to pay, but it also accelerates the ramp-up time, making it fast and easy to launch new campaigns.
Localizing the Threat
Most importantly, in a new trend BEC threat actors are also purchasing residential IP addresses from residential IP services, enabling them to mask where their emails originate. Armed with localized address space to support their malicious activities (in addition to usernames and passwords), BEC attackers can obscure movements, circumvent “impossible travel“ flags, and open a gateway to conduct further attacks.
Impossible travel alerts indicate that a user account might be compromised. They flag physical restrictions that indicate a task is being performed in two locations, without the appropriate amount of time to travel from one location to the other. The specialization and consolidation of this sector of the cybercrime economy could escalate the use of residential IP addresses to evade detection.
Defend Against BEC
There are six key tips security teams can apply. Some can be implemented immediately, while others will require long-term thinking and reinforcement.
Policy and governance are crucial to helping stop BEC. Security by default — for example, a domain-based message authentication, reporting, and conformance (DMARC) policy of “reject“ — ensures that unauthenticated messages are rejected at the mail server. Updating policies for accounting, internal controls, payroll, and HR can help employees know how to handle inbound requests for access, money, or personal information, such as their Social Security numbers.
Thwarting BEC threat actors takes vigilance and an ongoing commitment. As their techniques get more sophisticated, their tricks become harder to spot. Putting the brakes on this con game takes the entire organization, from the C-suite and IT, compliance, and risk management teams to every business unit. Awareness, backed by policy and technology, is the crucial factor in a consistently strong defense.