One of the most financially devastating attacks is Business Email Compromise (BEC). In 2021, the FBI found that BEC-related complaints added up to $2.4 billion. For context, in 2016, that number was just $360 million. That 2021 number is likely an undercount.
BEC is tough to grasp because it’s more than just one attack. It’s an array of attacks, always with the idea of leveraging something that appears legitimate to get the end-user to do something they don’t want.
We’ve been tracking BEC attacks for years and see them regularly today. What we’ve noticed is that there’s been a general evolution of BEC.
First, there was BEC 1.0. This again encompassed a lot of things, but in general, it worked like this:
Then, hackers evolved to BEC 2.0. Most attacks today–including today’s attack brief–are in this category. Here’s how it works:
What we’ve seen emerge is BEC 3.0. This has yet to be the dominant BEC variant, but we believe it will be in the next few months. Here’s how it works:
These attacks are incredibly difficult for users and tools to uncover because the sender’s reputation and email format is perfect. PayPal is a legitimate service; it will pass all sender reputation checks, and Natural Language Processing will not notice the difference.
Attack
Today’s attack is an example of conversation hijacking. An account was compromised. The hacker used that to insert themselves into a conversation to direct legitimate funds to a different bank account.
In this attack brief, researchers at Avanan, a Check Point Software company, will discuss how threat actors use undelivered messages to trick users into handing over money.
In this attack, hackers compromise an account and forward legitimate undelivered messages to end-users to trick accounting teams into sending unwanted payments.
Email Example #1
This email starts innocently enough. It’s a forwarded email from a compromised account from someone in accounting. The forward email is an old email of an invoice that was “never” successfully paid, and thus the payment needs to be remitted immediately. This email example showcases conversation hijacking.
When opening the attachment, which is just an .eml file, the end-user will see an issue with sending a pay stub remittance. The message had a “problem with the recipient” mailbox. They’ll notice that a pay stub still needs to be paid. Here, the user has a choice. They can either immediately pay the invoice, which would go to the hacker since they’ve changed the details on the remittance form. Or, they can go into their procurement system and look up the payment details. Most likely, they’ll see that it’s already been paid.
It’s just a created message to show the intended recipient that they have to repay this invoice.
Techniques
This BEC attack starts like many do–with a compromised account. Catching compromised accounts can be difficult, but it helps to have AI and ML that can profile the user’s baseline and see when something is amiss. Being able to do that across the entire SaaS portfolio helps too.
This account was compromised, and hackers began sending timely emails. In this case, they highlight to the accounting department that a payment remittance may have yet to get through to its intended recipient.
Here, the end-user has a choice. End-users can look up that invoice in their system. If it exists, which it likely does, they may go ahead and pay it. A better solution will be to ask the sender–ideally in person–if this is a legitimate email. Otherwise, the hacker may have the end-user right where they want them.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following: