Business email compromises (BEC) — commonly referred to as CEO Fraud because the CEO's identity is being impersonated — continues to grow and, more significantly, succeed due to the simplicity and urgency of the attacks, according to recent study from Barracuda of some 3,000 attacks.
The study, published today, notes that of the 3,000 attacks studied, some 60 percent do not contain any phishing links.
The goal of BEC attacks is to socially engineer the recipient to take a specific action, such as a wire transfer or to send personally identifiable information that can be used for identity theft rather than to introduce malware. In some cases, the request is something much more benign such as asking a janitor to unlock a door that later will be used for physical entry into a facility. While the CEO is most often the employee being impersonated, the report says, various C-level employees have that distinction, with the CFO and human resources as other key targets. Recipients of the emails could be anyone in the company.
A smaller percentage of initial BEC attacks are used to gauge the recipient's willingness to be helpful, which is crucial for an attacker trying to socially engineer a potential target. The more willing a target is to help, the easier it is to compromise the systems.
“The ability of these criminal groups to compromise legitimate business e-mail accounts is staggering,” Martin Licciardo, special agent in the FBI Washington Field Office, said in a post on the FBI's official website recently. “They are experts at deception. The FBI takes the BEC threat very seriously.”
The FBI's recommendation on defending against BEC includes this one, simple recommendation: “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO's office or speaking to him or her directly on the phone. Don't rely on e-mail alone,” Licciardo said.