An Analysis of the Rising Threat of BEC Attacks

Business Email Compromise (BEC) attacks have peaked during this COVID-19 season. Cybercriminals have resorted to this more profitable scam to meet their financial objectives.

Some statistics your way

  • Anti-Phishing Working Group (APWG) has found that the average wire transfer loss due to BEC scams has surged to $80,183 from $54,000, in Q2 2020.
  • Moreover, in two third of attacks, attackers requested funds in the form of gift cards for Apple iTunes, Google Play, eBay, and Steam Wallet.
  • Approximately 72% of the attacks were conducted via free webmail accounts and half of them were sent from Gmail.
  • The three most impersonated brands in the second quarter were Zoom, Amazon, and DHL.

Why it matters

The criminal community has been refining its skills to conduct BEC attacks that are extremely successful at dodging email defenses. They deal in unadulterated deception and thus, are invisible to most conventional security measures. Moreover, as the scammer attempts to make it resemble a genuine email, no keywords will trigger the conventional filters. Hence, ensuring that a well-crafted email has a huge chance of making it to a victim’s inbox without triggering any alarms. 

Recent BEC attacks

  • Last month, Barracuda Networks discovered that 6,170 accounts were responsible for more than 100,000 BEC attacks on approximately 6,600 organizations.
  • Threat actors were found using legacy apps with old protocols, such as POP, IMAP, and SMTP, to gain access to business email accounts protected with Multifactor Authentication (MFA). Moreover, SMS-based MFA can be abused by attackers in multiple ways, including SIM-jacking.
  • Since March, a series of BEC campaigns have been targeting Office 365 accounts. The attackers, known as Water Nue, have targeted executives at more than 1,000 organizations.

Defending against the threat

  • Block unsolicited emails from potentially malicious accounts.
  • Train your users or employees to detect targeted phishing attacks.
  • Implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) will ensure that emails with mismatched sender ID are detected and automatically reject suspicious emails.

The bottom line

Losses due to BEC attacks have doubled since the past year, proving that attackers have an upper hand over defenders. Moreover, it has proved that cybercriminals can create havoc with relatively simple attack techniques. Hence, organizations must guarantee that their security measures are capable of countering all kinds of threats.