Why business email compromise attacks could be deadlier than ransomware
At Bytagig we often examine the widespread dangers of ransomware, malware, and cyber-attacks. But it’s easy to overlook other attack types that are just as, if not more so, deadly. One, in particular, is the BEC attack or “business email compromise.”
BEC follows the same digital skeleton as phishing scams: in other words, relying on social engineering techniques and deception to achieve their success. The reason they’re more concerning than ransomware? The financial damage they can cause is far more severe. Ransomware often makes the headlines (and rightfully so) because it breaches high-profile networks, organizations, and enterprises. But BEC attacks fall in the “silent killer” territory more often than not.
The root of the idea is simple: get money from a high-level account to transfer into an attacker’s account. To achieve this, BEC attacks attempt to appear as high-level staff and management.
It’s quite nefarious because it exploits the user-trust relationship. If you see an email from a manager or trusted staff, naturally your instinct is to respond to it as quickly as possible. Thus far, it’s proven successful and in 2019 alone cost the cyber industry billions. It’s a worldwide threat and one that should be taken very seriously.
Success breeds more threats
Like ransomware, attackers see opportunity and act on it.
Within the Dark Web, for instance, various forums and digital markets exist for RaaS (ransomware as a service) kits which require minimal expertise to deploy. The idea that one must be a software or IT engineering expert to deploy malware is no longer applicable in today’s threat climate. With some basic knowledge, anyone can use malware to their advantage.
The same goes for BEC-style attacks. Sophisticated schemes are yielding less profitable results for malicious actors, some reports show. Moving into social media ploys, therefore, are far more appetizing to threat climates, requiring acquisition and manipulation of private info. What this means is we’ll likely see a rise in BEC attacks on all organizational levels, so it’s important to remain vigilant.
Another reason is that BEC attacks are cost-effective. They require no clandestine resources and rely on social phishing techniques to achieve success.
Fortunately, detecting and stopping phishing attacks doesn’t require complex cybersecurity software. Information, backups, and knowledge are some of the tools one needs to be mindful of them.
Preventing BEC Attacks
Even beyond social engineering, remember that the heart of BEC messages is a desire for money transfers. In such an event, no single entity should have clearance to transfer money without the approval (and verification) of several trusted people. Therefore, it’s far more likely someone will detect there’s an issue and prevent an erroneous funds transfer.
Other tips include:
- Setting up 2FA for logins on business-related devices
- Creating various messaging rules which determine who can access what type of email
- Not allowing for major funds transfers through email
Some BEC attacks target differently, however, usually looking to exploit urgency or imitate other official contacts outside of a company network. Be on the lookout for those too. Examples of BEC scam subjects are normally as follows:
- Imitating or acting as a company head such as a CEO or CIO requesting a fund’s transfer
- Acting as a third-party shipping supplier requesting funds to complete a priority shipment (or anything of that subject nature)
- Attempts to steal data to use for a ransomware related attack are common
- Legal counsel and or attorney imitation is common
The idea, as you can see, is to take advantage of a high-tier position or place of authority to avoid suspicion and create a money transfer as soon as possible.
Other BEC considerations
Because of these, attempting to defend against BEC attacks proves difficult. Mainly, it’s because social engineering and fraudulent messages don’t fall under the umbrella of automated anti-virus defenses.
And, obviously, discussions and requests for financial transfers from emails are always sketchy at best unless you were expecting one. Still, despite their obvious nature, BEC attacks are surprisingly effective.
Consider the additional hazards created by remote working solutions and COVID-19. Attackers are taking advantage of misinformation and less-stringent security policies, and BEC scams are no different.