BEC attacks soar in number, grow more targeted 

Experts at Kaspersky have noticed a growing number of business e-mail compromise (BEC) attacks. In Q42021, the company’s products prevented over 8 000 of these attacks, with the greatest number (5 037) happening in October.

BEC attacks happen when a bad actor impersonates a representative from a trusted business. During last year, Kaspersky’s researchers closely analysed the way criminals tailor and spread fake e-mails, and discovered the attacks tend to fall into one of two categories – large-scale or highly targeted.

The former, dubbed “BEC as a service”, simplifies the mechanics behind the attack in order to reach as many victims as possible. With a “mud-against-the-wall” approach, threat actors send streamlined messages in large numbers from free mail accounts, with the hope of catching as many victims as possible. These messages, while lacking high levels of sophistication, are still efficient.

In one scenario, an employee would receive a fake e-mail from a senior colleague containing a vague message about a request that needs handling. The target may be asked to urgently pay off some contract, settle some financial conflict or share sensitive information with a third party.

Any employees could fall victim, and Kaspersky says they should look out for several noticeable red flags in such a message, such as no corporate account being used and the sender clearly not being a native speaker.

Other malefactors are turning towards more advanced, targeted BEC attacks. In these instances, attackers first target an intermediary mailbox, gaining access to that account’s e-mail.

Then, once they find a suitable correspondence in the compromised mailbox of the intermediary company (say, financial matters or technical issues related to work), they continue that correspondence with the targeted entity, impersonating the intermediary company. Often the goal is to persuade the victim to transfer money or install malware.

Because the victim is already engaging in a conversation referenced by the attackers, they are far more likely to fall victim. These attacks are highly effective and have become one of the most spread social engineering techniques.BEC as a service

Roman Dedenok, security expert at Kaspersky, says the reason is clear – cyber crooks use these tricks because they work.

“While fewer people tend to fall for simple mass-scale fake e-mails now, fraudsters have started to carefully harvest data about their victims and then use it to build trust. Some of these attacks are possible because cyber criminals can easily find names and job positions of employees as well as lists of contacts in open access. That is why we encourage users to be careful at work,” he adds.

“E-mail remains the primary communication channel for most enterprises due to its widespread use,” adds Oleg Gorobets, senior product marketing manager at Kaspersky.

And with no replacement on the horizon, he says this will remain so for years to come. “But as remote working practices and cloud storage become the new norm, along with the growth of poor digital hygiene, we foresee the emergence of new scam methods leveraging these gaps in enterprise security.”

He says with less control over endpoint security, IT departments and security admins tend to get stressed even if they receive a successful blocking message from EPP.

“A good example of this is e-mail-borne threats reaching the endpoint level, which can occur when using bundled 'good enough' e-mail security from telco or cloud mail provider. Using a specialised security solution and a well-tested technology stack, backed with quality threat data and machine learning algorithms, can really make a difference,” Gorobets adds.

To avoid falling victim to these attacks, Kaspersky recommends that companies encourage their employees to think twice and carefully check each e-mail asking for payment or any sort of personal or corporate data.

Explain to them why publishing confidential corporate data on systems with open access, like cloud services, is a bad idea. Discourage them from sharing too many details about their work with a lot of people.

Next, the company advises to educate staff to counter social engineering. Gamified training and workshops train employees to be vigilant and identify BEC attacks that get through other layers of defence.

Finally, employ security tools to protect corporate communication channels that feature anti-phishing, anti-spam and malware detection technologies.