ThreatList: 60% of BEC Attacks Fly Under the Radar

Up to 60 percent of business email compromise (BEC) attacks don’t involve a malicious link, making it more difficult for employees and email security systems to spot that something is amiss, a recent report found.

Researchers at Barracuda, in a new study of 3,000 BEC attacks, found that most of the emails use plain text, and are intended to start a conversation with the recipient — and eventually persuade the target to authorize a wire transfer or send sensitive information to the attacker. In fact, only 40.1 percent of emails included a malicious link.

“These plain-text emails are especially difficult for existing email security systems, because they are often sent from legitimate email accounts, tailored to each recipient and do not contain any suspicious links,” Asaf Cidon, vice president of email security at Barracuda said in the report.

According to the study, 46.9 percent of attacks tried to initiate a wire transfer, while 40.1 percent pushed victims to click on a malicious link.

Up to 12.2 percent of the attacks sought to establish rapport with the victim. For instance, an attacker might ask the victims whether they are available for an urgent task; and then, once the victim replies to the initial email, they will ask for a wire transfer.

Finally, another 12.2 percent of BEC emails attempted to steal personal identifiable information (PII) from the targets (typically in the form of W2 forms that contain Social-Security numbers).

 Targets Beyond C-Level Roles

Another interesting observation in the report is that, while many BEC emails purport to be from a high-level executive (such as the CEO or CFO), the majority of victims aren’t in sensitive roles.

According to the survey, up to 42.9 percent of emails purported to be from the CEO, and 48.1 percent impersonated “other” roles that aren’t C-level or in finance/HR.

However, on the receiving end, only 2.2 percent of attacks were aimed at CEOs (with 16.9 percent targeting the CFO). Up to 53.7 percent of attacks were targeted at “other” roles.

“As you can see, almost half of the impersonated roles and more than half of targets are not of ‘sensitive’ positions, such as executives, finance or HR,” Cidon said. “Therefore, simply protecting employees in sensitive departments is not sufficient to protect against BEC.”

BEC emails are nothing new, but as companies continue to look for ways to educate their employees against these scams, threat actors are also evolving their techniques. A recent report found that business email compromises increased in the second quarter of 2018, according to the July edition of Beazley Breach Insights.

The past year has seen an array of new BEC campaigns discovered in the wild, including a BEC spam campaign targeting Fortune 500 businesses in February, and more activity around a hacking group behind several large-scale maritime shipping industry BEC attacks, called Gold Galleon.