4,203 incidents of business email compromise (BEC) were reported to the Internet Crime Complaint Center (IC3) in 2016, a fact that’s notable for two main reasons…
For one thing, it represents a 2,370% increase for that specific source of fraud threat – astronomical by any standard, especially in just a single year. Even more scary, however, is that the affected companies never saw it coming. They were normal, everyday organizations minding their own business when all of a sudden, the foundation of what they knew to be normal was turned upside down in the knowledge that they’d been duped – and subsequently bilked – by a fraudster, even though they had security measures in place.
Despite its growing reputation, BEC isn’t new. The FBI started tracking it as an emerging threat in 2013. At its core, its actually one of the oldest cons in the book, relying on simple deception and a victim’s gullible desire to do the right thing — and it’s working frighteningly well, spreading to more than 130 countries with losses totaling more than $5 billion.
So why is it such a successful attack vector, generating headlines at a rate far greater than most any other fraud type?
It’s tempting to think that the explosion of BEC is due to its simplicity. While it is fair to say that the flow of a standard BEC attack is undoubtedly straightforward, what goes into executing such an attack is anything but simple.
The act of fooling victims, tricking them into making fraudulent payments by pretending to be an authorized representative of the company, is only the basic building block of a successful BEC scam. It’s all the work that happens before where the magic happens, with perpetrators first gaining access to a company’s network through an advance spear phishing campaign. They then deploy malware that enables them to spend weeks or months in the network undetected, studying every aspect of the business and collecting the information needed for the imposter phase of the campaign to be effective.
These are not the random acts of casual criminals looking to make a quick buck. On the contrary, they are stealth attacks executed with military precision. Calculated efforts designed by criminal organizations structured just like your business.
It’s true. The syndicates responsible for the vast majority of BEC attacks are armed with a full staff of lawyers, linguists, hackers and social engineers. Entire teams of professionals with a decided unwillingness to accept anything short of success. No wonder they can so easily infiltrate organizations who are powerless to keep them out! It’s like Mario Puzo wrote in The Godfather, “The lawyer with a briefcase can steal more money than a man with a gun.” Theft no longer takes a weapon…just a computer, and a little creativity.
While it might seem as though it would be infinitely easier to defend your organization against a fraudster that can be seen, the fact that BEC scams are a seemingly invisible threat that strikes from out of nowhere is neither cause for resignation nor of alarm.
There are huge red flags apparent in any BEC attack that companies should be on the lookout for. Examples include, but not limited to:
- Unusual transfer amounts (higher or lower than normal)
- Payments to new beneficiaries, or beneficiaries outside of where the business typically operates, or even international transfers
- Transfers to known vendors with new payment details
- Changes in established vendor payment cadence
And this isn’t all. Just like any good business, criminals are continually improving their techniques to find new ways to victimize businesses into BEC. CEO scams might have spiked in popularity due to their success rates, but wily fraudsters, happy to diversify, have also been reverting back to old types of attacks such as the “supplier swindle,” an attack in which criminals spoof a company related to their target, rather than the target themselves
The good news is, it’s not necessary to rely on the diligence of employees to catch the red flags of BEC (although employee education is a key component of any comprehensive security plan.). Just as the fraudsters have a clearly documented plan of attack, so should you – and it should be solidly rooted in the use of proactive user behavior analytics and monitoring.
While most organizations focus their efforts on deploying cyber security solutions designed to keep intruders out, user behavior analytics and monitoring makes the somewhat counterintuitive assumption that hackers will get in (and they will get in, so might as well adopt an honest acceptance of that upfront). It then profiles the behavior of users, including business customers, employees, etc. so that a baseline of what is considered typical for the organization can be established. It then uses that data to detect and prevent fraud in real time, stopping fraudulent payments before they can happen.
There’s no question that fraud is rising aggressively, with 75% of companies reporting they have fallen victim to a fraud incident within the past year (an increase of 14% from just three years ago). As new technologies emerge, fraudsters are redoubling their efforts to take advantage of every opportunity. They have mobilized, they’re organized, and they probably even have health plans. To defend yourself, it’s time to have a better plan than the criminals, one that comes down to being proactive, rather than reactive.
Boaz Krelbaum is General Manager of Cyber Fraud & Risk Management for Bottomline Technologies.