Keeping an Eye on Business Email Compromise

Posted on by Kacy Zurkus

Malicious actors have long been using social engineering to bamboozle unsuspecting victims into transferring sensitive information or money in business email compromise (BEC) attacks. During RSA Conference 2016, Tom Kemp, CEO of Centrify, shared his company’s experience of nearly falling victim to a wire transfer scam two years earlier. As time progressed, so did the cybercriminals, and year over year, the attacks have become increasingly more prevalent.

At RSA Conference 2019, Anne Connell, Cybersecurity Engineer at CMU, delivered a session titled Business Email Compromise: Operation Wire Wire and New Attack Vectors, noting the continued increase in these attacks that (at the time) were commonly targeting real estate, legal services, B2B commerce, and database and W2 theft. Connell’s presentation gave an overview of the tactics and techniques of attackers but also outlined coordinated efforts to thwart these attacks; however, the threat of BEC has not decreased. In fact, cybercriminals have evolved in their tactics.

In a February 2020 blog post, James Moar, Lead Analyst at Juniper Research, noted that deepfakes have the potential to shift the advantage from defender to cybercriminal, adding, “Deepfakes … have more malicious reach than misinformation. They can also be used as a means of social engineering, tricking employees into certain behaviors. Business Email Compromise, for example, could be augmented with deepfakes to build relationships and trust with targets in a spearphishing exercise.”

But there is hope, as we saw at RSA Conference 2020 when Patrick Peterson, Founder and CEO of Agari, and Teresa Walsh, Head of Financial Services Information Sharing and Analysis Center, Inc., presented their session, Disrupting BEC Attacks Utilizing Kill Chain. Peterson and Walsh pointed out that BEC is still a rapidly growing threat in large part because it has a higher return on investment than other types of attacks. However, the overarching message of their session was: “We know a lot about the BEC attack chain and the actors behind these attacks, and we can use this intelligence to defeat them!”

The problem with these attacks is that these cybercriminals exploit human beings, most often by creating a sense of urgency and inducing stress. They leverage every opportunity to manipulate their victims, which is why there is little surprise that we have seen an uptick in attacks since the onset of the global pandemic. So where does that leave defenders?

Well, I asked Peterson and Walsh if they would change anything about their session and the methods for disrupting BEC attacks. Walsh said that when it comes to BEC attacks, “You need a way to cash out the fraud, and usually this is a bank account opened by a human being. But human beings can’t easily open bank accounts anymore because they’re isolating at home! So, this has led to changes.”

According to Peterson, BEC attackers have adapted their techniques in three ways. “First, simply changing their lures to COVID-19. Instead of “we need to pay this supplier wire funds,” it’s “we need to get gift cards to our employees or charities” or “we’ve had to change our bank account related to the stimulus, here are the new numbers,” Peterson said.

Though the cash out method was already shifting significantly toward gift cards, Peterson said, “With COVID-19, the victims are no longer going to physical stores to purchase but making purchases online. Additionally, the gangs who socially engineered accounts receivable aging reports (see “Ancient Tortoise” criminal dossier, for example) are now going after those vendors to get them to pay with a COVID-19-related invoice.”

While it’s interesting to see how malicious actors evolve with the ebbs and flows of the world around them, Walsh added what is particularly interesting to her is determining whether these changes will endure post-isolation. Will the fraudsters find prepaid cards and online vouchers easier to use instead of a human money mule? Will we see them have a more willing mule population after isolation ends because of the impact to the economy?

Kacy Zurkus

Senior Content Manager, RSA Conference

Hackers & Threats

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs