BEC Scams Have Risen Sharply, with More Using Adversary-in-the-Middle Attacks to Access Company Funds

Business email compromise scams continue to be one of the most financially damaging cybercrimes in the U.S., according to the Federal Bureau of Investigation. It succeeds because so many of us rely on email in conducting business online, and we get busy or distracted and sometimes don’t read emails as carefully as we should. In business email compromise scams, cybercriminals send email messages that appear to come from sources we trust making what seem to be legitimate requests. They can fool us in a heartbeat if we’re not paying attention.

BEC schemes are sophisticated scams in which email accounts (and in some cases phone numbers and even virtual meetings) are compromised by criminals using social engineering or computer intrusion techniques. Social engineering generally uses phishing exploits, while computer intrusion usually involves hacking into a network.

In either case, the cybercriminals’ interim goal is to acquire access credentials that enable them to pose as trusted company executives, vendors, or partners. Their ultimate goal is always to divert monies away from the legitimate intended destinations and into their own accounts.

The Four Basic Steps of BEC Schemes

According to the Federal Bureau of Investigation, business email compromise scams generally follow four steps. They begin with cybercriminals identifying lucrative targets where the potential for diverting substantial amounts of money is strong and likely. They research information available online to develop profiles of the target company and its executives. Targeting may also look for companies with weak security safeguards, which take less effort to breach.

Step 2 entails grooming a victim in the target company, typically through phishing and spearphishing emails and replies over several days. Research from Step 1 is used to appeal

personally to the victim and establish credibility.

By Step 3, the victim is convinced that he or she is conducting a genuine business transaction with a legitimate individual, and sensitive information is shared in order to complete the transaction. Finally, in Step 4 the requested funds are transferred to the cybercriminal organization by the unwitting employee.

The Three Most Popular Tools Used in BEC Schemes

Cybercriminals may use any tools at their disposal to perpetrate business email compromise scams, but three of the most common are spoofing, spearphishing, and malware. These ploys are consistently successful, in part, because employees and executives are not routinely trained to recognize them.

• Spoofing. Email addresses and website URLs can be spoofed very successfully in our fast-paced, quick-read world. In spoofing, cybercriminals may change one letter in an address or URL to link to their own fake account or website. For example, the email address “john.kelly@examplecompany.com” might be spoofed to “john.kelley@examplecompany.com” to fool victims into thinking the address is authentic. Or the website “fedex.com” may be spoofed as “fedex.int” or “fedexp.com” to divert traffic to the malicious site.
• Spearphishing. Spearphishing emails target specific employees or executives and look like they’re from a trusted sender to fool victims into sharing sensitive or confidential information. That information enables criminals to access company accounts, calendars, and other real data that gives them the credible details needed to perform successful business email compromises.
• Malware. By infiltrating company networks and systems, malicious software enables cybercriminals to gain access to legitimate email threads about billing and invoices. This information is used to send messages on optimum days so that company accountants don’t question the payment requests.

BEC Theft Has Risen Sharply in Five Years

In its 2022 Congressional Report on Business Email Compromise, the FBI notes that “BEC is one of the fastest growing, most financially damaging internet-enabled crimes. It is a major threat to the global economy.” Comparing complaints to the FBI’s Internet Crime Complaint Center between 2016 and 2021, the report indicates that annual losses attributed to BEC scams were $360 million in 2016—and had escalated to $2.4 billion by 2021. BEC scammers have targeted large and small companies in every U.S. state and more than 150 countries around the world, according to the report.

Companies need to recognize the severity and prevalence of BEC scams and the financial damage they create and take internal steps to reduce this threat.

Microsoft Warns of Adversary-in-the-Middle Attacks in BEC Scams

Adversary-in-the-Middle (AiTM) attacks are a form of hacking in which cybercriminals inject themselves into network communications to steal credentials, forge or copy encryption and identity verification keys, and launch BEC attacks to steal company funds or data. These are also known as man-in-the-middle attacks, because attackers lurk between users to secretly steal information shared in their communications.

New Multistage BEC Attacks. In May 2023, Microsoft warned of a surge in BEC schemes employing advanced tactics, such as the use of special criminal services to create commercial-grade malicious email campaigns. In early June, the global tech leader warned that banking and financial services organizations had become the targets of new, multistage adversary-in-the-middle attacks that employ phishing techniques and enable business email compromise scams.

According to the Microsoft report, one such attack “originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations.” This multistage attack began with a phishing email that pointed to a link that redirected a victim to a spoofed Microsoft sign-in page—and then stole the login credentials and one-time one-use passwords entered by the victim.

Cybercrime-as-a-Service. The Microsoft warning describes in fairly technical detail some of the new Cybercrime-as-a-Service resources that are now widely available for purchase by enterprising cybercriminals. One specific platform “sells an end-to-end service including templates, hosting, and automated services for BEC.” Adversaries using this service also receive credentials and the IP address of the victim company. Well-armed with localized address space to support their malicious activities, in addition to stolen usernames and passwords, BEC attackers can obscure their movements and open gateways to conduct further attacks.

Simple But Effective Advice for Thwarting BEC Attacks

The FBI has recommended five actions that company employees and executives can take in order to reduce their organizations’ vulnerability to business email compromise schemes. These actions should be common sense by now, and included in every organization’s best security practices, but they always bear repeating. Make sure that all employees are schooled in these security tactics and retrained periodically.

1. Avoid Casual Sharing. When you openly share personal information such as your birthday, pet names, family member names, former schools, and similar details about yourself, you make it easy for scammers to guess your passwords and answer security questions. Cybercriminals can also use your online information to develop credibility with you and make you more vulnerable to phishing. Be very careful what personal information you share or post casually online, and remove what you can.
2. Think Before You Click. Often, attachments and links get forwarded from one individual to another to another, until a friend or fellow employee sends it to you. You don’t know how or where that link or attachment was created, so don’t open it unless you feel required by your company to do so. And then, don’t click on it directly. Copy and paste the link into a browser. Run the attachment through a security scan on your computer. Engage your IT team to help you verify.
3. Read Emails Carefully. Email sender names and URLs can be easily spoofed for malicious purposes. Before you open an email, hover your cursor over the sender address to see if the URL agrees with the address presented in the email. Look for typos or poor spelling that usually signal mischief. Read your messages carefully from top to bottom to look for anything unusual. And again, engage your IT team when in doubt.

4. Never Give Out Confidential Information. Don’t click on anything in an unsolicited email or text message that asks you to update your account, update your payment card, verify your account information, enter a sweepstakes, or enter to earn a reward. If you think the request might be legitimate, call the company or sender at a phone number you look up online—not at a phone number or email address provided in the email.
5. Embrace Multifactor Authentication. MFA uses User Name, Password, and a third bit of information to prove that you are who you are supposed to be during account logins. The third bit is often a one-time security code sent to your cellphone, although there are other forms of MFA as well. The FBI and most security firms advise enabling multifactor authentication for every account that offers it, and never disabling it.

Employees Must be Trained to Recognize Phishing

Another powerful preventive measure against business email compromise scams is cybersecurity awareness training—and specifically training employees to recognize phishing schemes. Most BECs result from phishing exploits of some type, and multistage BECs employ phishing as one of their crucial and most effective tools. Phishing has dominated complaints to the FBI Internet Crime Complaint Center since 2019, with the four other top complaint categories trailing far behind.

Employees and executives, as well as vendors and partners, need to be aware of how common phishing is, how it works, how to recognize a phishing email, and how much its success relies on employee negligence, distraction, and lack of training. Every company should provide training for everyone and do it regularly to keep it at top of mind.

Personnel who receive overwhelming volumes of email and are required to meet urgent timetables or deadlines are particularly vulnerable to phishing exploits. Ironically, these are often employees or managers in Accounting, Payroll, and Human Resources where large volumes of company funds, sensitive data, and personally identifiable information reside. If unable to plan or conduct the training yourself, hire a professional cybersecurity firm who offers comprehensive phishing and cybersecurity awareness training. Many provide online training courses that can be completed at employee convenience and include testing to reinforce learning.

Summary

Business email compromise scams are not new. However, each year they seem to increase in frequency and financial damage. The FBI’s Internet Crime Complaint Center tracks BEC scams reported by U.S. companies, and financial damages have grown exponentially since 2016—most recently totaling $2.4 billion per the FBI’s 2022 Internet Crimes Report.

Companies can reduce their vulnerability to business email compromise scams by following advice offered by the FBI and experienced cybersecurity professionals. In today’s email-intensive business world, educating employees and executives in the serious consequences of BEC scams, training them to recognize phishing schemes, and improving their cybersecurity awareness are absolute requirements for all organizations.