Understanding and Addressing the Rising BEC Threat

Ransomware attacks and personal data breaches understandably dominate the cybersecurity news cycle. However, the attack vector that causes the highest financial cost to victim organisations in business email compromise (BEC).

In September 2024, a notice by the FBI’s Internet Crime Complaint Center (IC3) revealed that BEC cost organisations an astonishing $55.5bn between October 2013 and December 2023, on the back of over 305,000 incidents.

It is critical that organisations understand the threat posed by BEC and build in the tools and processes to protect themselves from damaging financial losses.

BEC is a social engineering technique, which often targets senior staff at an organisation, or those that can authorise financial transactions.

Threat actors will impersonate a legitimate individual or entity, such as the company’s CEO or a third-party supplier. They typically try to trick the target into transferring large sums of money to their accounts.

This tactic has proven highly effective, with eye-watering losses recorded for victim organisations. The FBI found that BEC attacks made up the second highest losses of any attack technique in 2023, at $2.9bn.

This was far higher than financial losses recorded for ransomware in the same period, which was $59.6m.

Experts have attributed a range of factors for why BEC attacks tend to go under the radar compared to other cyber-attacks such as ransomware. One reason is BEC attackers are not usually outspoken about this type of hack compared to ransomware, as they do not need to apply pressure on the victim to pay. This makes it difficult for security researchers to deploy any forensics and for threat analysts to give any attribution.

Additionally, the stealthy nature of BEC and the impact on the targets’ finances and image mean that victims, too, often prefer to keep quiet such incidents.

BEC attacks have significantly evolved in recent years, increasing their effectiveness. This trend has largely been driven by advanced technologies.

Generative AI has enabled attackers to craft more convincing and effective emails. A report by Vipre Security Group in August 2024 found that BEC attacks rose 20% year-on-year in Q2 2024 thanks to the use of AI tools to generate scam messages.

Another tool used to enhance BEC is deepfakes. The growing availability of this AI-based technology allows attackers to accurately mimic the voices of high-profile individuals, such as a senior business leader, during phone calls.

In one high-profile case from 2019, the CEO of a UK-based energy company was duped into transferring $243,000 to fraudsters after receiving a phone call from someone who claimed to be the firm’s chief executive. In fact, AI voice technology was used to spoof the German chief executive’s voice.

BEC attackers have also developed the emails they send. One example is “VIP Invoice Authentication Fraud,” which is used to impersonate trusted vendors or other third parties that the victim organisation regularly pays. The fraudster will send an invoice request to a target – potentially working in the finance team of the victim organisation – but crucially also copies in (cc) the target’s boss, or rather a spoofed email domain resembling the boss’s email.

Upon sending the initial email attack, the bad actor will then reply to the email thread, using the spoofed domain account to impersonate the victim’s boss and instruct them to pay the invoice as soon as possible. This email replay looks like a looks like a legitimate response coming from his or her trusted executive or manager, and adds to the sense of urgency to pay the invoice.

Another example is “conversation hijacking” to enable BEC – where attackers compromise email accounts in the organisation to firstly understand business operations and payment procedures. This information is leveraged to craft authentic-looking and convincing messages from the impersonated domains to trick victims into wiring money or updating payment information.

ADVERTISEMENT

There are a range of measures organisations can take to address the huge threat posed by BEC, including those enhanced by AI technologies.

Organisations should provide specialist awareness training on BEC, ensuring staff are aware of the techniques used and how to spot them.

This needs to go beyond showing employees what a phishing email looks like to making it clear the types of behaviour that will never happen in their organisation. For example, no one from the leadership team will ever message employees to ask that they buy a gift card.

Additionally, staff should be advised to check with the individual being impersonated, where possible.

Another crucial means of tackling the BEC threat is having stringent processes around financial practices that are rigorously enforced. This includes only allowing certain users authorisation to make payments, and ensuring there is an extra sign off from a senior member of staff before payment can be made to a new supplier or account.

A number of email security tools can help prevent BEC attacks. These include standard tooling such as domain checks, email filtering and alerts. Additionally, some email security solutions utilise machine learning and/or natural language processing (NLP) to detect abnormal behaviours or uncommon language used by a specific sender.

These tools can help push many BEC attacks to the margins, such as focusing on personal email accounts, where they will appear as less legitimate to request access to financial data.

If an organisation falls victim to a successful BEC attack, it is advised to inform law enforcement as soon as possible. There have been several cases where police forces, working with banks, have been able to recover the stolen funds and return them to the victim.

BEC is a huge threat to organisations, resulting in vast sums being lost by victims. It is an area that must take as much, if not more priority in organisations’ cybersecurity strategies. Stringent processes and training around financial transactions are core to preventing these attacks occurring.

Enjoyed this article? Make sure to share it!

Looking for something else?