Cybercriminals are targeting business email
In the era of digitalisation and internet expansion, anyone who goes online encounters cybercrime sooner or later. The more potential victims have to lose, the greater the threat. Victims include ordinary people as well as major companies and organisations with an established market position and reputation. In the latter case, business mailboxes are often the target. What exactly are BEC, VEC and phishing attacks?
Increasing numbers of organisations around the world are falling victim to Business Email Compromise (BEC), an attack that compromises the security of their email systems. “BEC fraud usually involves attempts to convince a company, institution or municipality to transfer money to an account held by fraudsters,” explains Kamil Sadkowski from ESET, a company specialising in IT network security. Hackers break into email accounts of specific employees. After analysing the communication style and business content contained in previous messages, they impersonate the owner of the hacked mailbox to communicate with co-workers. Several attack scenarios are used, but each of them leads to a financial loss or theft of confidential data.
Instructions from the boss or CEO fraud?
Fraudsters often send an urgent request from the mailbox belonging to an executive or a top-level officer, asking for a bank transfer to a specific account number, which, not surprisingly, belongs to the criminals. CEO fraud is a deceptive cyber manipulation bordering on social engineering. As the majority of rank-and-file employees rarely receive emails directly from the CEO or top executives, they want to fulfil the instructions received from the “boss” as dutifully as possible.
In equally disastrous attacks, fraudsters impersonate a lawyer who represents the organisation in confidential or sensitive matters. The outcome is the same: the company loses money because the alleged lawyer pressures an employee or manager into secretly handling a funds transfer.
Kamil Sadkowski points out that Poland has also reported BEC events this year. Rewitalizacja, a utility company from Radom, transferred almost PLN 2 million to an account held by scammers. The fraudster, who claimed to be a Central Investigation Bureau officer, convinced the accountant to make a transfer, claiming that otherwise the company’s account would be hacked. The Rząśnia Municipality also fell victim to a BEC scam: it lost PLN 5 million by transferring money to what was supposed to be a long-term bank deposit account.
According to a report by Abnormal Security, a US-based company that sells advanced security tools for business email (Email Threat Report, Q3 2021), the size of an organisation matters when it comes to vulnerability to BEC attempts. Interestingly, according to the same report, the average number of BECs per thousand email boxes is highest for smaller companies and decreases steadily as the size of the organisation increases. Hacking attempts are more numerous in the case of companies employing fewer than 500 people, and rarely target organisations with more than 20,000 employees. This may mean that fraudsters are more likely to focus on the accounts of individuals who hold specific roles in their respective organisations rather than on the size or reach of their companies.
Abnormal Security data for Q2 of 2021 reveal that criminals are most likely to impersonate someone from Microsoft Outlook when carrying out BEC attacks. Between April and June, cybercriminals conducted more than 500 wide-ranging email blasts pretending to work for the digital giant. Amazon came in second, with its brand being used by criminals in over 450 email blasts.
“A new star on the cybercrime scene”
In Q3 of 2021, as many as 61% of organisations fell victim to VEC (Vendor Email Compromise) attempts, according to the Abnormal Security report. The authors described this type of fraud as “a new star on the cybercrime scene.”
What is VEC? Hackers take over the email account of a reputable vendor and send fake invoices, bank data updates or requests for sensitive data to client companies. Then, transferring money to the criminals’ account is just a few clicks away. VEC differs from the “traditional” BEC because the scammer must have full access to the vendor email account used for the attacks, which means that the vendor’s business email is hijacked first.
The number of VECs has been increasing at an alarming rate since Q3 of 2020. The Abnormal Security report shows that the median number of VEC fraud attempts among its customers between July and September 2021 was four. This means that the chance of becoming a victim increased by 96% within one year. While four attacks per quarter might not seem a lot, it is important to remember that they come from hijacked email accounts. Since the messages come from real mailboxes of vendors and refer to real information about the vendor, this type of activity is particularly difficult to detect and, as such, highly profitable for cybercriminals, the publication emphasises. With an average request of USD 183,000, four successful scams per quarter can cost victims millions each year.
When it comes to corporate vulnerability to VEC, we can observe the opposite trend in comparison with the traditional BEC. The Abnormal Security report suggests that organisations employing over 20,000 people are most vulnerable, while attacks against organisations with less than 5,000 employees are attempted once every five weeks on average.
The data authentication trap
Cybercriminals are increasingly using phishing attacks to target business email. Scammers send fake emails asking for authentication data, including links that redirect the recipient to phishing websites. This is known as a Credential Phishing Attack. In a moment of absent-mindedness, the employee enters the authentication credentials, allowing the scammers to take over the mailbox and launch further BEC and VEC attacks, which prove very effective in practice.
Any organisation, regardless of its size, can fall victim to a phishing attack that aims to obtain business email authentication credentials. According to Abnormal Security experts, in the case of companies with fewer than 500 employees, the likelihood of this kind of attack on a weekday is 92%, increasing to 95% among larger organisations. For this reason, it is even more important to find a solution to block such messages before they even reach employee mailboxes. ©℗
Materiał chroniony prawem autorskim - wszelkie prawa zastrzeżone.
Dalsze rozpowszechnianie artykułu za zgodą wydawcy INFOR PL S.A. Kup licencję.