Important Facts on Business Email Compromise (BEC) Attacks

Business email compromise (BEC) attacks pretend to be from someone within your organization in an attempt to encourage a knee-jerk reaction of obedience from employees. They work really, really well because no one wants to ignore the CEO’s direct request. 

 Recently discovered flaws in Outlook , evolving tactics from cybercriminals, and the sky-high costs of BEC attacks make this an important issue right now. 

TL;DR: Business email compromise (BEC) attacks are hard to spot, are on the rise, and result in successful attacks that add up to an absolutely astronomical amount of cash lost each year. There are steps you can take to prevent them. Get the facts.  

What Are Business Email Compromise (BEC) Attacks?

A few months back, we wrote an article about cyberinsurance. As we were researching that article, we ran across a news item talking about how Crown Bank lost a legal battle to their cyberinsurer and had to cover the costs of $2 million in damages from a cybercrime attack in which the criminal pretended to be the wife of one of the bank’s senior executives sending an email request for a questionable wire transfer. The unfortunate bank employee hit by this scam failed to follow standard operating procedures to verify the “senior executive’s wife’s” request and [as Seinfeld would say] yadda-yadda-yaddathey lost $2 million to a scam artist. 

The tactic the scammer used: pretending to be a senior executive (or their wife, rather), is what’s known as a business email compromise attack. These use social engineering tactics over email that leverage hierarchy to get an employee to complete an action without asking questions. 

Wire transfer scams are a pretty common way these attacks play out, but other BEC attacks pretend to come from the “tech department” to ask for credentials or from “HR” and “Payroll” to get an employee to download a malware-ridden PDF file purporting to be a check stub or form. 

If you’ve been reading this blog for a while, you’ll recognize that these are all run-of-the-mill phishing scams. The difference between regular phishing and a BEC attack is that, with BEC, the email sender’s address looks perfectly fine. Even highly suspicious employees who are trained to examine a sender’s address before downloading, clicking, or blindly following instructions, can be fooled by these kinds of attacks. 

The Outlook Flaw that Makes BEC Attacks Harder to Spot

As if these attacks weren’t bad enough already, Ars Technica recently reported on a Microsoft Outlook for Windows flaw that may make it easier for scammers to pretend to be mailing from inside your organization. 

To explain this, we’ll need to get a tad technical for a moment. Bear with us: we’ll make it interesting (and use bullet points to keep it quick!) 

  • There are a lot of letters that aren’t in the English language.
  • Examples include: û ƒ í ß ñ œ ∂ and å. 
  • Some non-English letters look a lot like English letters. 
  • Examples include: в а к е о т (to type that, we wrote “d f r t j n” using a Russian keyboard, which has Cyrillic letters).
  • Because these letters look like English letters, hackers leverage them for nefarious schemes. 
  1. Got that? Here’s a test for you to check your understanding: 

Question: Are these email addresses the same? (We wrote them weird, so you can’t click them.) 

  • andrea@your-company-dot-com
  • аndrеа@yоur-cоmpаny-dot-com

Answer: No, they’re completely different. The second one is made up of non-English (Cyrillic) letters that look like English letters. (Don’t believe us? Here’s a link that will decode it for you – just copy that second address into the text box, click “Identify,” and see how many Cyrillic characters come up. It’s freaky.) 

  1. (Just to bend your mind a little bit more: we’ll tell you what we typed to get that second email address. We typed: fndrtf@yjurcjmpfny-dot-com. No kidding. I think we can all agree that is not the same email address.)

As you can see, this is a difficult conundrum. If the letters look alike to the eye, how can you tell the sender isn’t who the email address says they are? As Ars reported, the Outlook issue takes this misunderstanding a step further because the flaw will validate that gibberish email address as your business partner, Andrea, and apply her contact card to the wrong email. 

Long story short: BEC attacks just got worse. 

Other Worrisome Info About BEC Attacks

There are three more very important things to know about BEC attacks. 

  • Cybercriminals want to buy email access

Cybersecurity journalist Brian Krebs recently reported on a growing phenomenon in the cybercrime world where criminals are trying to buy email or other access credentials. To do this, they may email your employees with profit-sharing offers, they may post actual advertisements on ransomware notification desktop wallpaper, or they may post offers on the dark web for “buying/monetizing your access to corporate networks.” 

Of course, these credentials get the criminals insider access to your systems, so these scams are more like really nefarious phishing attempts, but if they get email credentials, they will probably use those emails to run business email compromise attacks. Cybercriminals are like vampires; they will drain you (and your bank accounts) dry. 

  • A blank email in your inbox could be a warning sign

If you get a blank email in your inbox, your company may very well be a BEC attack target soon. 

Here’s why: To validate email addresses that they wish to copy, cybercriminals first have to figure out your email address. To do that, they will send blank emails or fake emails to various permutations of likely email addresses for you, such as andrea@yourcompany or andrea.smith@yourcompany, and cross off every option that receives an email bounce notification. That blank email you received was the one successful email send they had, out of maybe 10 or more tries – and the cybercriminal might be setting up that fndrtf@yjurcjmpfny-dot-com email address (that looks like andrea@yourcompany-dot-com) right now. 

  • BEC attacks cost companies nearly $2 billion in 2020

According to the Internet Crime Complaint Center (IC3), BEC attacks incurred the largest cybercrime business losses in 2020, far surpassing the costs of every other type of attack, including ransomware.

For 2020, the IC3 reported losses of $29.2 million for ransomware, versus $1.86 billion for BEC attacks in the same year. We’re going to question those numbers with a deep skepticism and wonder aloud if maybe ransomware victims are reporting their attacks only to the FBI and not the IC3. We’re also going to wonder aloud here if those costs include the downtime, equipment, and records loss remediation that ransomware attacks require… but even with all that said, $1.86 billion in reported losses solely from BEC attacks, solely in 2020, is a LOT of cash. 

In light of this information, we recommend your company approach emails with caution and take three key steps: 

In the meantime, reach out to your local Seattle Managed Services Provider (MSP) for help securing your systems. 

Reach out to Interplay for cybersecurity help. 

For 20 years, the friendly and knowledgeable team at Interplay in Seattle has helped business leaders across a range of industries get more out of their tech, stress free. Not only are we always (and we mean always) happy to offer the best managed IT services, support, and advice, we’re also the team you can trust for the best cocktail recommendations here in Seattle or in Disney World – we’re versatile! All humor aside though, we’d love to help you get your IT running smoothly and securely, around the clock.