This question should be standard issue at any cybersecurity pub quiz:
What increased by 108% one day in September 2019?
It’s not the number of data breaches experienced around the world. It’s not even the proportion of businesses now targeted by cyberattacks.
No: it refers to the total amount of money stolen from businesses thanks to Business Email Compromise scams, according to the FBI. The Bureau’s flagship figure of $12.5bn was revised upwards by more than 100% on September 10th, hitting a staggering $26bn.
The two figures don’t cover identical timespans. But if anything, comparing the periods of time used to arrive at the totals generates even more alarm. The original $12.5bn figure was derived from business losses over a five-year period between 2013 and 2018. The new figure of $26bn is the product of just three years of criminal activity, covering June 2016 to July 2019.
So how are attackers able to extract such large sums of money from enterprises? And what can be done to stop them?
Perhaps part of the reason Business Email Compromise (BEC) has been so successful is that everyone has a slightly different definition of what it means, and no clear solution to stop it…
Business Email Compromise (BEC) is when a trusted relationship – between colleagues or counterparties – is hijacked through email. BEC can be accomplished in two ways:
Conveniently for attackers, account takeover is often achieved after a successful spear phishing attack.
BEC is a catch-all term often conflated with other kinds of email attacks, like phishing, spear phishing and account takeover. Account takeover (ATO) attacks, for instance, are often described as identical to Business Email Compromise. However, ATO attacks see the attacker literally gain access to an individual’s genuine account, potentially by using brute force “credential stuffing” hacking techniques. BEC attacks, meanwhile, are geared around impersonation. An attacker “compromises” an email account by convincingly impersonating a trusted counterparty of the target. What is being “compromised” in a BEC attack is the trust between the target and the impersonated counterparty.
Because BEC scams rely on people making mistakes and being tricked, attacks can be relatively simple or extremely complex. The initial step involves fraudsters identifying a company they intend to target. Once this is done, before executing the attack itself, the attackers must first impersonate an employee or one of the company’s external counterparties. (Attackers might choose to impersonate a display name or a domain in order to fool their target. To understand more about the different types of email spoofing and impersonation exploited by cybercriminals, head to the this Tessian blog.)
To execute a BEC attack, attackers will send spear phishing emails to targets within the company. Building trust over time comes down to communicating authentically. Although you might have read about spear phishing campaigns convincing people to click on malicious links or attachments, this is no longer a necessity. “Zero-payload” attacks, a growing phenomenon, build trust with targets over time using entirely innocuous communications. The request, when it comes, may be made in writing without the suspicious links or attachments that are easier for traditional security programs to flag.
This example shows an attacker impersonating a CEO, Thomas Edison, asking an employee to change invoicing details. There is no link or attachment required, only text:
It’s clear that subtle and hard-to-detect techniques can have a potentially damaging effect on enterprises. So what are the main methods by which attackers compromise this trust in BEC attacks?
As we’ve seen, the main motivation behind BEC attacks is commonly financial. But going after an organization’s finances can have wide-reaching consequences, also affecting intangible factors like company morale and brand reputation. Here are some of the main consequences cybersecurity leaders should be wary of.
Data breaches are rarely out of the press these days. One of the scams that resonates most with the media is credential harvesting and the stealing of user data. With organizations now holding more information on individuals (employees and customers) than ever before, these attacks can cause immense harm to people and to businesses.
Of course, a principal aim of BEC attacks is to extract money from targeted organizations. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account. When second-order financial penalties like fines are taken into account too, BEC can prove extremely damaging to organizations’ balance sheets.
Nowadays it’s hard to think of data breaches and email attacks without the associated fines brought about by new regulation. Currently, for instance, Yahoo is tackling an enormous class action suit with estimated damages of more than $100m. And legislation designed to make fines more than a slap on the wrist is now ramping up all over the world. In one of the first big GDPR fines, the UK’s Information Commissioner earlier in 2019 announced its intention to fine British Airways £183m after a 2018 data breach.
It’s harder to quantify on a balance sheet, but after a BEC-triggered data breach, hard-won brand reputations could be put at serious risk. An email security failure can cause share prices to fall and affect organizations’ relationships with their customers. Another second-order effect could be knocking employees’ morale and denting confidence, making rebuilding work still more difficult.
There are a wide range of reasons for businesses to protect themselves against Business Email Compromise, which raises the question: why are most business unprepared to defend against this threat?
Simply put, security products have not moved as quickly as cyberattackers in predicting and preventing new and emerging threats. Secure Email Gateways do a great job of preventing run-of-the-mill spam and “bulk” phishing attacks, but they do this with static lists of rules that can only stop attacks the software has already seen. They simply aren’t cut out to defend against increasingly sophisticated attackers deploying social engineering techniques and exploiting human frailties in order to trigger dangerous actions. (Read our CTO Ed Bishop’s thoughts on Secure Email Gateways and other legacy technologies here.)
BEC attacks are highly targeted towards particular individuals within organizations. Even the most vigilant employees can be foxed by a spear phishing scam if it is sent on a busy day, delivered in a particular tone, or perceived to be from an authoritative source. Indeed, some threats are confined to IP addresses hidden in email headers – undetectable by employees.
That’s why organizations must invest in technology that explicitly protects theirpeople. And that’s where Tessian’s software, trained on over 1 billion emails, comes in.
Our stateful machine learning engine learns what “normal” email communications look like within complex organizations. Using historical patterns and behavioral signifiers to understand relationships between internal and external parties, Tessian Defender identifies malicious impersonations before they have the chance to deceive employees.
If you’re interested in learning more about Defender or our other Human Layer Security products, sign up for a demo here.