Business Email Compromise: the Often Ignored, Billion-Dollar Enterprise Threat

It’s well known hackers will continually alternate and adjust their tools, and even migrate to different methods based on what works and what is more profitable. Increasing ransomware attacks are a manifestation of the evolution from other attacks like fraud and theft of payment info and login credentials, which have experienced an exponential drop in profitability. The same could be said for exploit kits, which have experienced a major drop-off after large coordinated take down operations by law enforcement.

Ransomware has been the attack of choice for hackers to obtain payments directly from victims versus relying on indirect methods like stolen credit card dump sales, personally identifiable information auctions and others that rely on a network of thieves who all take a slice of the profits. Actors on the dark web have commoditized ransomware so that anyone looking to stage an attack can simply rent an attack kit, buy hosting space and launch it.

But even ransomware has impediments to profitability. Even after getting paid, an attacker needs to decide what to do with the ill-gotten gains. Most ransomware attacks these days collect bitcoin or another version of digital currency. To convert those currencies to actual dollars, one would need to run a laundering scheme, usually involving currency mules and tumblers. All pieces of these attacks cost money, which eats into the profit.

Threat actors have found that a much easier method of obtaining money directly, with a lower operating cost, is to simply ask for it. The FBI issued a report in May 2017 that losses from business email compromise scams (BEC) are up more than 2,300 percent since 2015, at $5.3 billion.

BEC scams are exactly what they sound like: attacks that compromise the business email of an employee, usually an executive. By spoofing the identity of a CFO, a CEO or an equally senior executive, hackers use the clout of the individual to ask for payroll information, employee data or even to transfer funds directly.

BEC scams, though they seem simple, are incredibly effective when done right. The FBI report cited previously states that there were 23,000 victims in the US since 2013 and more than 40,000 worldwide.

Yesterday, Cisco released its Midyear Cybersecurity Report (MCR), which names BEC as an “old tool” that is seeing newfound use. Ronnie Tokazowski, a senior malware analyst at threat intelligence firm Flashpoint, shed more light on why BEC has become such a threat to enterprises. His intelligence is featured in the Cisco MDR.

“One of the main reasons why BEC scams don’t get as much attention is because of how challenging it can to determine who — on the victim side — is at fault,” he said in a Q&A interview. “In terms of news coverage, BEC tends to keep a low profile. We don’t hear more about BEC scams in the media most likely because they’ve been around for years, aren’t advanced or sophisticated, and doesn’t sound all that newsworthy.”

Considering the losses in the billions, as reported by the FBI, BEC is potentially a larger threat than ransomware.

In terms of prevention, Tokazowski says the human factor plays a crucial role, “One of the best ways to help protect organizations from this type of attack is to work with users and inform them of the threat.”

Employees tasked with money transfers or payments should always question a request sent via email, and even double-confirm with a phone call before going through with a payment or wire transfer. This is especially important if the transaction is a foreign one, and if it is requested with a sense of urgency. Employees working remotely, especially on mobile devices, need to show extra care, as the spoofing of an executive’s identity is likely to be more successful when e-mail is conducted via smart phone.

Cisco CISO Steve Martino says that education is crucial, but it’s just as crucial to educate employees in a way that is relevant to them individually.

“I believe in educating the right people on the matters that mean the most to them. I don’t believe in sitting everyone down for 45 minutes to run through the same cybersecurity awareness training,” Martino said.

To read more about the changing cybersecurity threat landscape, download Cisco’s Midyear Cybersecurity Report here.