The ABCs of BEC in 1, 2, 3

Author: Crypsis Group September 8, 2020

A business man typing emails on his phone with a laptop and tablet also on his desk

Business Email Compromise (BEC) is the unauthorized access to an organization’s email system by threat actors in an attempt to commit fraud or data exfiltration. Most typically, these present as spear phishing attacks where threat actors send emails impersonating authoritative figures in the business, such as the CEO or CFO, requesting accounting or other staff to execute money transfers into unauthorized accounts. With one well-executed and well-timed fraudulent email, organizations can be out thousands of dollars. In our recently released Crypsis Incident Response and Data Breach Report, we reported that the average BEC attack cost victims $264,117 in 2019. The highest amount? We have seen threat actors steal $5M from a single victim.

With the increased reliance on email during the COVID-19 and #stayhome “new normal” increasing the opportunity to wage attacks, preventing these incidents requires a comprehensive user education program, solid email security controls, and rigorous financial processes. In this blog, we will review our top 3 BEC key takeaways, look at who is most at risk, discuss the 2020 BEC landscape, and provide tips for how to protect against this growing threat.

Takeaway 1: BEC Attackers Are Doing Their Homework

In the past few years, we have seen threat actors become more thoughtful in their attacks. While most BEC attacks of previous years were mass distributed and untargeted, Crypsis has observed a distinct increase in 2018-2019 of well-researched, targeted, and sophisticated BEC attacks. Observed Tactics, Techniques, and Procedures (TTPs) have included conducting pre-attack reconnaissance to select the best victims to target with spear phishing campaigns. Attackers target accounts that provide immediate access to high-level credentials, information, and the organization’s financial accounts, such as the company’s executives and accounting staff. If the phish is successful, threat actors can begin to set up fraudulent wire transfers and other activities. 

Using Email to Launch Other Attacks

Once the threat actor has access to the email account, they often leverage it for additional malicious activity. We’ve seen threat actors create the infrastructure to successfully “spoof” the victim’s email address so they have the ongoing ability to impersonate their victim and exploit their contacts or send out malicious spam from the account. Additionally, they may pivot to other accounts discovered to wage more attacks. To learn more about threat actor tactics, check out this video here.

Business Email Compromises - Spoofed or Not__v4

Takeaway 2: No Vertical Sector Is Immune–But Some Fall Harder

Every vertical sector uses email and has money worth stealing; thus, none are immune to BEC attacks. However, in our 2019 study, we noted that two sectors–Financial Services and Healthcare–were affected disproportionately.

Eighteen percent of our 2019 BEC incidents in 2019 were within the Financial Services sector. And perhaps it’s little surprise–comprising banks, credit unions, real estate firms, and accounting firms of all sizes (many of them smaller with fewer security staff), these organizations have financial transactions in play on a continuous basis, with a broader span of employees with authorization to make these transactions (and that threat actors can target).

Healthcare has also been a significant target, receiving 15% of our BEC incidents. Healthcare organizations frequently send and receive invoices for expensive medical services, solutions, and technology, posing a ripe opportunity for threat actors to insert themselves into the process. 

While wire fraud is the primary goal of BEC in our experience, sensitive data can be exposed as well and have detrimental effects to any vertical sector. Within Crypsis’s several hundred BEC cases last year, 48% of them exposed sensitive data. 80% of those cases included exposed medical records, Social Security numbers, names, dates of birth, financial account information, and tax IDs.

Takeaway 3: Shifting IT Models in Response to COVID-19 Will Require Increased Vigilance

Since the coronavirus pandemic began impacting the American workplace in March 2020, Crypsis has observed threat actors taking advantage of fear and uncertainty to exploit victims with a broad range of COVID-19-related attacks, BEC among them. The Federal Bureau of Investigation issued a press release in April warning of an anticipated rise in COVID-related BEC attacks, citing specific examples of recently seen BEC attack TTPs. 

With many working remotely (even within essential functions such as healthcare and food supply chains, where accounting and other personnel are not required on site), email volumes are, predictably, increasing in tandem with attempts to compromise the process. It’s more important than ever to apply safeguards against BEC attacks.

Protecting Against BEC Attacks: People, Process, Technology

Preventing BEC attacks in both your organization and among your remote work staff requires vigilance by all users. Comprehensive security awareness training and user education to combat phishing attacks is a critical line of defense, as BEC relies on the vulnerabilities of humans. In addition, make sure to: 

  • Conduct training on how to identify and manage fraudulent financial requests 
  • Implement multi-factor authentication (MFA) as a security policy for all employees 
  • Ensure that financial wire transfer verification steps are conducted through non-email communication channels (text messages, voice phone calls, etc.). 
  • Limit the number of employees authorized to approve wire transfers and provide additional training to authorized employees 

BEC attacks are a common, financially destructive threat type, which will likely become even more of a concern in a post-COVID-19 world. For organizations in Financial Services and Healthcare, which conduct many financial transactions over email (though these attacks aren’t limited to these organization types), increasing vigilance, attention to security best practices, and user training are essential–particularly in light of the fact that BEC threat actors are getting more targeted and educated on their victims each year.

Want to learn more Crypsis Pro-Tips? Check out our BEC best practices video and make sure to read our 2020 Incident Response and Data Breach report and our Microsoft Office 365 Best Practices InfoSheet.

Best Practices Securing Microsoft 365


Topics: Security Insights