We’re Only Human: Why Business Email Compromise Scams Still Work

Criminals have recognized that the user behind the computer screen remains the most vulnerable security feature. Gone are the days of the Nigerian Prince scam, which is often discussed anecdotally about how easy it is to recognize a scam and to joke about those that fall victim. However, complacently believing that email scams are easily discovered has opened the door for criminals to hone their craft and target unsuspecting and unprepared victims.

What is the Human Factor?

‘Human factor’ vulnerabilities are exposed by the inadvertent and non-malicious actions of someone from inside a company, for example clicking on a phishing link, misplacing unencrypted devices, or tossing sensitive documents in the trash versus proper disposal. Attackers exploit these vulnerabilities to get users to unwillingly conduct the attack for them.

Human factors are a growing contributor to cyber-attacks, from both inside and outside of the corporate network to steal confidential data or defraud a company. The last time IBM analyzed this component we found that 95 percent of security issues were the result of humans. Human errors can range from a misconfigured cloud server, poor patch management, to clicking a malicious link in an email.

Although improvements to the IT processes may help mitigate system and patch management, in the case of business email compromises (BEC), even following security policies may not always protect employees and their company from this threat. To conduct a BEC scam, it often only takes adept social engineering to trick a user into making a cybersecurity error.

What is a Business Email Compromise Scam?

A BEC scam typically involves a threat actor taking over or impersonating a trusted user’s email account either through stealing email credentials or creating domains with slight typos and generating email addresses similar to the legitimate user’s email address.

Companies that conduct international wire transfers have proven to be attractive targets for BEC scams. The attacker’s goal is to divert payments to an attacker-controlled account or gain confidential information from the organization, such as employee tax forms. These attacks can often be carried out almost entirely based on phishing and manipulating people, often those working in accounts payable, to perform illegitimate activities.

How Does the Attacker Conduct a Successful BEC Scam?

To be successful in BEC scams, attackers need to blend in with the organization and employees they’re targeting. Once the attacker takes over a victim’s email account, they create a false sense of reality targeting accounts payable employees by mimicking previous conversations and copying the victim’s typical signature block to appear legitimate. The attacker does this by researching previous email conversations so they can communicate with very few grammatical or colloquial mistakes that are otherwise a red flag in spam or phishing messages.

In many cases, attackers will create layers of obfuscation to keep the compromised user unaware that their account is being used illegitimately. For example, attackers will create email inbox rules, commonly used to help clean-up an email inbox, to filter out conversations that might reveal their malicious activities. The attacker will also modify email settings to auto-forward conversations to their personal email so they can view the messages without logging into the victim’s account.

Once the attacker has built the foundations for a believable ruse, they will impart a sense of urgency when requesting international wire payments to a new account, often sending multiple follow-up emails. In some instances, the threat actor will impersonate senior members of the supervisory chain to make it appear that the supervisor approved the transaction.

Why Do Attackers Use BEC Scams?

Attackers rely on exploiting the human factor via BEC scams for three reasons. First and quite simply, it works. Attackers are seeing a growing amount of success using malware-free BEC scams with reported losses rising in orders of magnitude worldwide since 2015. Second, BEC scams are relatively cheap compared to buying or building an exploit because BEC scams can be done with little to no technical knowledge or special tools. Finally, BEC scams which use compromised credentials to target victims from within a trusted network are difficult to identify through traditional detection platforms. The attack may be less likely to be foiled by end-point detection, network sensors, or spam filters.

What Can Organizations Do?

Due to the relative success an attacker can have conducting BEC scams with very little investment, the number of attacks and amount stolen over the past couple years has increased significantly and will likely continue to rise. To mitigate the risk of becoming a victim to these scams, companies can immediately implement policies that address the ‘human factor’ through both employee training programs and enhanced technical security features, likely already available in their email client.

Employee training should focus on providing guidance on the tactics attackers use to conduct BEC scams. Employees should validate email settings regularly and scrutinize sender email addresses to look for email address domains with typos such as an extra letter.

Since the attacker will also send emails directly from a compromised email account, employees should watch for emails with unfamiliar grammar or word choices, that are from personnel who seem suspiciously uninformed of internal policies and company structure, and emails which make urgent requests for international money transfers.

Additionally, creating banners that identify emails from external email addresses and blocking the ability to auto-forward emails outside the organization can increase the likelihood the attack is identified and mitigated before any fraud can occur.

Organizations can implement strict international wire transfer policies, for example, setting a time delay requirement for payment processing or requiring employees to verify any bank account changes via calling the phone number tied to the older and verified bank account.

Finally, the most important technical security feature a company can implement is multi-factor authentication for account logins. Adding an additional authentication measure would diminish the attacker’s ability to access email accounts with a stolen user ID and password.

-Alexandrea Berninger is a Global Security Intelligence Analyst on IBM X-Force Incident Response and Intelligence Services (IRIS)

Be the first to comment

Leave a Reply