Why are BEC attacks something not to be ignored?

Phishing attacks are one of the most common security challenges that both individuals and the companies are facing to keeping their information secure. Hackers are using email, social media phone calls or any form of communication to access the corporate or personal data. Ransomware, phishing and similar cyber threats like spear phishing/ whaling and CEO Fraud/Business Email Compromise (BEC) are the major cyber security concerns. Both ransomware and phishing are critical problems that every organization must address through a variety of means: user education, security solutions, vulnerability analysis, threat intelligence, good backup processes, and even common sense.

One of the most prevalent types of cyber fraud is the Business Email Compromise, or BEC scam. These attacks are responsible for billions of dollars in fraud losses over the last few years, and the criminals keep getting better at scamming their victims. A BEC is a form of phishing attack where a cyber-criminal impersonates an executive (often the CEO), and attempts to get an employee, customer, or vendor to transfer funds or sensitive information to the phisher. Criminals use Business Email Compromise (BEC) attacks to obtain access to a business email account and imitate the owner’s identity, in order to defraud the company and its employees, customers or partners. In most cases, scammers focus efforts on employees with access to company finances or payroll data and other personally identifiable information (PII). In most cases, BEC attacks try to deceive the recipient to do a wire transfer to a bank account owned by the attacker, while in many of the attacks, it asks the recipient to send the attacker personal identifiable information (PII), typically in the form of W2 forms that contain social security numbers. Another important observation is that a large percentage of BEC attacks do not involve a link: the attack is simply a plain text email intended to fool the recipient to commit a wire transfer or send sensitive information. These plain text emails are especially difficult for existing email security systems, because they are often sent from legitimate email accounts, tailored to each recipient, and do not contain any suspicious links. Also, in many of the attacks, the attacker tries to establish rapport with the target by starting a conversation with the recipient (e.g., the attacker will ask the recipient whether they are available for an urgent task). For the “rapport” emails, in the vast majority of cases, after the initial email is responded to the attacker will ask to do a wire transfer.

Now, the major question is how do one stay away from such attacks?

Wire transfers should never go out without an in-person conversation or phone call and additional care with phone calls if the only contact information is included in the potentially fraudulent email. Because the CEO is the most impersonated role, users should take extra care with emails from this account. If the CEO is making a request or if it is unusual to receive email from the CEO, the user should confirm the legitimacy before taking action. It is also very important for organizations to implement a training program which will help users to spot BEC attack and use that program to continually train and test them on updated techniques. Barracuda Sentinel combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time, including emails that originate from within the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals. It is also very important that employees are regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training.  Barracuda PhishLine provides comprehensive, SCORM-compliant user training and testing as well as phishing simulation for emails, voicemail, and SMS along with other helpful tools to train users to identify cyberattacks. Not just these, the habits that put the organizations at risk need to be changed at the first, including internal communication and employee behavior.

Anshuman Singh
Senior Director, Product Management, Barracuda Networks