Dealing with the Global Threat of BEC Attacks as Cybercriminals Go International

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By Patrick Peterson

Business email compromise (BEC) attacks are still a prime tool in the arsenal of cybercriminals when it comes to committing fraud and stealing large sums of money. While BEC phishing attacks have been big news in the United States recently, advanced email threats are a very serious problem globally. Private businesses and public institutions across the globe must be vigilant towards the threat that BEC attacks pose.

According to Verizon’s 2019 Data Breach Investigations Report (DBIR), BEC is “still advantageous for the criminal element” precisely because it provides a quick way to cash out. Other types of cybercrime require work on part of the adversaries to convert stolen data into accessible wealth.

Meanwhile, BEC requires only that someone responds to an initial email and believes the person on the other end long enough to fulfill his request. This is especially true as gift cards become a more popular mechanism for cybercrime, likely because they are easier to acquire and harder to track.

Interestingly, the 2019 Verizon DBIR notes that 18% of clicks made through to phishing messages came from those using mobile devices. We live in a world where people are often on the go — answering work emails from airports, cafes, or while picking up their kids from soccer practice. The hurried nature of such instances may make professionals more susceptible to BEC attacks, particularly because they may not be as vigilant in examining each email as if they were on a desktop computer in the office. It’s just another factor to consider when defending against BEC schemes.

International Incidents Take Center Stage

Specifically, targeted spear-phishing campaigns are “the opening gambit” for the attacks, according to ZDNet, with fraudsters sending spoofed emails to their intended victims with links that appear to lead to legitimate government websites. In actuality, these links are malicious and plant malware onto the computer of those affected.

Also in recent months, attack group London Blue has resurfaced and, as we have previously noted, is using legitimate commercial services to mass harvest target data for their phishing campaigns. This type of activity has resulted in a master targeting database containing the contact information of more than 50,000 financial executives. The same can be said for cybercriminal organization Scattered Canary, which used Lead 411 to find their targets — both in the United States and elsewhere.

Financial Services and Healthcare Remain Prime Targets

Criminals are increasingly utilizing social engineering tactics on users and tricking employees at financial firms into providing their web-based email credentials. Another common method of attack? Compromised accounts, which are notoriously difficult to trace, as cybercriminals use the legitimate accounts of employees to give an aura of authenticity and send phishing emails to colleagues.

Healthcare remains another highly targeted vertical. This isn’t surprising because, like finance, it has access to a treasure trove of data that criminals would love to get their hands on. Hackers commonly use BEC attacks to get healthcare professionals to click through a link to a phony site that asks them to enter their email credentials. And once this has been done, the criminal then can gain access to any number of sensitive emails containing patient information.

International Defense Parameters are Critical

This starts with proper employee education, but even all the training seminars in the world won’t fully prevent phishing schemes from tricking users from time to time. Instead, next-generation technology that combines machine learning with advanced analytics can spot, flag, and prevent fraudulent emails from even reaching the inboxes of employees — enabling them to focus on less on cybersecurity and more on their work.

It is clear that this threat isn’t going away anytime soon. Organizations around the globe need to stay one step ahead of the constantly evolving criminal landscape.

To learn more about how identity deception is tricking unsuspecting recipients, download our latest report on trends in email fraud.

Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store