The “business” of BEC is becoming increasingly more lucrative for cybercriminals, as they develop new ways to defraud individuals and organizations of their money.
The simple CEO fraud scam isn’t dead, but it’s been certainly left behind for even more effective Business Email Compromise scams, according to Crane Hassold, Sr. Director of Threat Research at Agari in his recent presentation How the BEC Threat Landscape is Evolving and What We Can Do About It at the RSA virtual conference.
Modern BEC attacks leverage some really good social engineering that security defenses aren’t able to detect or prevent because there is nothing technical about the BEC attack. While the usual end-goal of BEC hasn’t changed – convince the victim to wire funds – the pretexts and social engineering tactics used have. Here are a few examples:
- The Handoff – This can take on many forms, but this is a recent example of a Handoff BEC attack. An attacker impersonating the CEO emails a prominent member of the Finance department, asking them to contact an “attorney” (who is actually another member of the same cybercriminal gang) about an acquisition. Once this handoff occurs, the “attorney” inevitably asks for a sizable sum to assist with the acquisition, which the “CEO” further inquires about from the Finance team member and approves.
- Payroll Diversion – HR is emailed by an attacker impersonating an employee asking for an update to their banking details used for direct deposit.
- Aging Report Scam – Rather than going directly for a wire transfer, scammers will purport to be a vendor and ask for an aging report (which outlines the status of all pending payments due them by the victim organization). With this in hand, the attackers can send far more convincing emails that include specific invoice numbers, payment amounts, and due dates, when asking for banking details to be changed to an attacker-controlled bank account.
The result of this BEC evolution is the attackers are taking the longer path, figuring out ways to get victims to let their guard down when it comes time to pull the BEC trigger and ask for the wire transfer.
Any employee with access to request or approve financial transactions needs to undergo continual Security Awareness Training, keeping them updated on how these scams take place so your employees can spot a BEC scam the moment the email hits their Inbox.