Business email compromise (BEC) is not just a growing threat for U.S. financial firms — it's a deceptively sneaky one. And industry experts know it.
While somewhat sexier cyber-scams like ransomware and trojans capture headlines and mainstream attention, BEC has often flown under the radar, creating an increasingly healthy source of funds for fraudsters in recent years. Hence, BEC jumped 65% last year alone, bringing global losses over the past five years to $43 billion, according to a recent announcement from the FBI, as SC Media reported earlier this week.
“Year after year, business email compromise continues to not make headlines while being the No. 1 cybercrime by losses as reported by the FBI. Period,” said Ronnie Tokazowski, principal threat adviser for Cofense.
Despite the fact that many financial executives may perceive business email compromise as an easy crime to track and stop, “this couldn't be further from the truth,” Tokazowski said. “Victims are lied to at every step of the fraud.”
And those lies have become more convoluted and harder to pin down according to industry observers and findings from the FBI’s IC3. While many cyber thieves still follow the “direct transfer” route of traditional BEC scams, more of these email-based grifters are using a second hop by employing “extortion, [fake] tech support and romance scams ... often [providing] documents such as driver’s licenses [or] passports” to get into legitimate cryptocurrency wallets and cover their tracks.
And funds are typically routed internationally to further complicate matters — banks in Thailand and Hong Kong were the most popular destinations for funds stolen through BEC last year, according to IC3 data.
“BEC crosses state lines, country lines, and with the thousands of cyber actors who are currently involved in this fraud, it's no wonder why BEC continues to be the number one crime year after year,” Tokazowski said. “We aren't mitigating it right.”
Mortgage closings and other high-value transactions are also used as cover for the monetary “redirection” of BEC, according to Gary McAlum, senior analyst for TAG Cyber.
“Although email has been, and will continue to be, the primary attack vector, cybercriminals are also exploiting SMS text and voice calls with great success,” he added. “The ready availability of open-source information on companies and individuals makes creating an attack profile on potential targets easy and highly useful.”
Tokazowski pointed out that, “Tracking malware is easy. You reverse a few samples, write a signature for the malware family, work with researchers who track the infrastructure to take it down, patch your infrastructure, and wash, rinse and repeat until the next attack happens.”
However, with BEC, “there is no 'magic' signature. The infrastructure used in these attacks is the human mind, where shame, anxiety, and depression keep humans from coming forward.”
Such pernicious attacks require more detailed and careful responses, according to the recent report from the IC3. This includes: using secondary channels or two-factor authentication to verify requests for changes in account information; ensuring the URLs in emails are indeed associated with the business or individual that claims to have sent them; watching out for hyperlinks with misspellings of actual domain names or other key information; refraining from sharing login credentials or sensitive PII in emails; verifying senders’ email addresses, especially when using a mobile or handheld device; and enabling employees’ computers to allow full email extensions to be viewed.
Tari Schreider, strategic advisor for Aite Novarica, agreed that financial companies especially need to employ tighter controls to limit BEC success. He recommended restricted use of auto-forwarding rules, requiring “two keys on the launch button” when making payments over a certain amount, using simulation exercises to make employees more aware of how crafty BEC grifters can be and blocking traffic from “all countries where there is no legitimate business need.”