In a new twist on an old scam, BEC attacks switch from email to a virtual meeting where social engineering tactics are used to further establish credibility and increase the likelihood of a successful scam.
Historically, BEC scams were comprised of a threat actor impersonating the owner of a compromised email account for the purpose of stealing information, committing fraud, or a myriad of other attack actions. But a new FBI advisory warns of BEC scams that involve either inviting users to virtual meetings or attending meetings as the compromised user. In cases where the compromised user is in a position of authority, scammers seek to get attending employees to carry out instructions. According to the advisory, virtual meeting platforms are being used in several ways:
- Compromising an employer or financial director's email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or "deep fake1" audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.
- Compromising employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a business's day-to-day operations.
- Compromising an employer's email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.
Employees that undergo continual Security Awareness Training are far more vigilant when normal business activity goes awry and becomes downright suspicious (as in the case of the fake CEO not having any audio and asking for the transfer of funds).
It’s no longer just being mindful of phishing attacks; employees need to be educated to maintain a constant state of awareness whenever any form of unexpected communication – especially those involving money – are made.