Most workers are familiar with or have at least heard of phishing attacks by now. Despite their varying levels of complexity, they share a core commonality: External threat actors pretending to be someone they are not (i.e., foreign dignitary, third-party vendor) to trick an employee into turning over their access credentials, click a malicious link, or download and open a malware-laden file. Although these kinds of e-mails are getting more sophisticated, there are often tip-offs pointing to the illegitimacy of the message.
Imagine that the phishing attempt came from someone inside the company. Would you be confident that your workforce would recognize the attack?
These kinds of threats fall under the category of Business E-mail Compromise (BEC) attacks and typically occur as a follow-up to a successful phishing attempt or malware infection. Regardless of the initial attack vector, the outcome is the same: A cybercriminal has obtained the access credentials of someone in the company (usually an executive or someone in finance with access to payroll) and has been lying in wait for an appropriate time to launch a broader attack.
Research on BEC Attacks
To get a better sense of what BEC attacks look like in the wild, who cybercriminals target, and what their objectives are, cybersecurity firm Barracuda has examined data compiled from 3,000 randomly selected BEC attacks detected by their Barracuda Sentinel® system.
Table I: BEC Attack Objective
|BEC Objective||Link Included||Percentage|
|Click Malicious Link||Yes||40.10%|
|Steal Information (personally identifiable information (PII))||No||0.80%|
The data in Table I show that the most common objective in the sample is to get the victim to wire transfer money to an account owned by the cybercriminal, which accounted for almost 47% of the attacks. In some of the e-mails, the attacker first tried to “establish rapport” with the intended victim, perhaps asking them to help the attacker with an urgent task. Should the victim respond, the attacker with then try to convince them to do a wire transfer.
Interestingly, only 40% of the attacks include a malicious link, meaning more than half appear to be nothing but plain text e-mails. Typically, these communications are drafted to convince the potential victim to send money or possibly sensitive PII. Since these e-mails are devoid of any malicious markers, it is harder for antimalware or other endpoint protection systems to detect them, as they are sent directly to victims from legitimate e-mail accounts.
Table II: Attack Targets
The researchers at Barracuda also took a random sample of attacks at 50 random companies to look at who were the intended targets of a BEC attack, in addition to the impersonated sender. Across the sample, the CEO was the single most impersonated role, accounting for 42.9% of all attack attempts. Beyond that, however, there isn’t much clarity, as only 9% of the remaining impersonation attempts constituted people in “sensitive” positions like finance and HR, with the vast majority (48.1%) spread across other positions in the company.
Conversely, nonsensitive departments made up a little over half (53.7%) of the recipients of impersonated e-mails. This means that close to half of the targets (46.3%) were employees with access to sensitive or financial information. However, the data does not suggest that you can alleviate the threat by simply protecting those in finance, HR, or C-suite positions.
The researchers at Barracuda recommend taking a couple of steps to help prevent these kinds of attacks from being successful. Among these suggestions are:
- Implement clear protocols for handling wire transfers. Never send money without having an in-person or telephone conversation, and be wary of contact information provided in the suspicious e-mail.
- E-mails requesting money or sensitive information that come from the CEO require extra caution, as the CEO is the most impersonated role in these kinds of attacks.
- Train employees how to spot a BEC attack, and be sure to make it part of any ongoing training program.
- Use an e-mail protection system that can detect phishing, spear-phishing, and other cyberfraud attacks that open the door to a BEC threat.
|Asaf Cidon is vice president of content security services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company’s AI solution for real-time spear phishing and cyber fraud defense. Barracuda Sentinel utilizes artificial intelligence to learn the unique communications patterns inside customer organizations to identify anomalies and guard against these personalized attacks. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.|