One of the most prevalent types of cyberfraud is the Business Email Compromise, or BEC scam. These attacks are responsible for billions of dollars in fraud losses over the last few years, and the criminals keep getting better at scamming their victims.
In this Barracuda Threat Spotlight, we take a look at the different types of BEC attacks that have been analyzed by the Barracuda Sentinel Team.
Highlighted Threat:
Criminals use Business Email Compromise (BEC) attacks to obtain access to a business email account and imitate the owner’s identity, in order to defraud the company and its employees, customers or partners. In most cases, scammers focus efforts on employees with access to company finances or payroll data and other personally identifiable information (PII).
The Details:
To better understand the goals and methodology of BEC attacks, we compiled statistics for 3,000 randomly selected BEC attacks from the Barracuda Sentinel system. Table I summarizes the objectives of the attacks:
|
BEC Objective |
Link Included |
Percentage |
|
Wire Transfer |
Nein |
46.9 |
|
Click Malicious Link |
Ja |
40.1 |
|
Establish Rapport |
Nein |
12.2 |
|
Steal Information (PII) |
Nein |
12.2 |
TABLE I: The objective of BEC attacks as a percentage of 3,000 randomly chosen attacks. 59.9% of attacks do not involve a phishing link.
The above table summarizes the objectives of the attacks. The results show that the most common BEC in the sampled attacks is try to deceive the recipient to do a wire transfer to a bank account owned by the attacker, while about 0.8% of the attacks ask the recipient to send the attacker personal identifiable information (PII), typically in the form of W2 forms that contain social security numbers. Here's a recent example of a wire transfer BEC with the names and addresses redacted:
12% of attacks try to establish rapport with the target by starting a conversation with the recipient (e.g., the attacker will ask the recipient whether they are available for an urgent task). For the “rapport” emails, in the vast majority of cases, after the initial email is responded to the attacker will ask to do a wire transfer.
We also sampled attacks from 50 random companies and classified the roles of the recipient of the attack, as well as the impersonated sender. The results are presented here in Table II:
|
Role |
Recipient % |
Impersonated % |
|
CEO |
2,2 |
42.9 |
|
CFO |
16.9 |
2,2 |
|
C-Level |
10.2 |
4.5 |
|
Finance / HR |
16.9 |
2,2 |
|
Sonstige |
53.7 |
48.1 |
TABLE II: The roles of recipients and impersonated employees from a sample of BEC attacks chosen from 50 random companies. C-level includes all executives that are not the CEO and CFO, and Finance/HR does not include executives.
Based on the results in Table II, the term “CEO fraud” used to describe BEC is indeed justified: about 43% of the impersonated senders were the CEO or founder.
Take Action:
- Wire transfers should never go out without an in-person conversation or phone call. Use additional care with phone calls if the only contact information is included in the potentially fraudulent email.
- Because the CEO is the most impersonated role, users should take extra care with emails from this account. If the CEO is making a request or if it is unusual to receive email from the CEO, the user should confirm the legitimacy before taking action.
- Implement a training program that teaches users how to spot a BEC attack, and use that program to continually train and test them on updated techniques.
- Deploy an email protection system like Barracuda Sentinel to automatically stop spear phishing and cyberfraud attacks that lead to a successful BEC scam.
Barracuda Resources:
Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is the only solution in the market that can automatically prevent email account takeover. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time, including emails that originate from within the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.
User Training and Awareness — Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training. Barracuda PhishLine provides comprehensive, SCORM-compliant user training and testing as well as phishing simulation for emails, voicemail, and SMS along with other helpful tools to train users to identify cyberattacks.
Asaf Cidon is a professor of electrical engineering and computer science at Columbia University and a Barracuda adviser. He previously served as vice president of content security services at Barracuda Networks. In this role, he was one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.
