When thinking of the different kinds of cyberatatcks, the deployment of a ransomware is often the first to come to mind. An apocalyptic scenario with the laptops of your teams locked when they arrive at the office, your backups encrypted and even, sometimes, the entry badges to the office broken.
But there is another type of attack, one that receives less media attention but that can cause significant financial damage to your company - and that is easier to execute for cyber criminals.
Business Email Compromise (BEC).
This article will answer 3 questions regarding BEC:
A BEC attack is a cyberattack that originates or seems to originate from a legitimate email address, often from a company’s CEO or top executive. The goal is to trick the target into acting on behalf of the hackers, often by sending them one or more bank transfers.
Let’s take a very basic example (but quite realistic): someone for the accounting department receives an urgent invoice with a new bank account for a regular supplier. They pay. The payment was, in fact, made to the hackers.
We can identify two broad types of BEC attacks:
In more advance cases, the emails can be complemented with various other elements: fake text messages spoofing the CEO’s phone number, fake calls using voice alteration tools… Hackers will use all the social engineering tricks at their disposable to convince their target to act.
1. A $21 million fraud for Pathe (European movie producer)
In 2018, the executive team of Pathe Netherlands (CEO, CFO) received an urgent message from the CEO of Pathe France (the headquarters of the company).
“We’re conducting the acquisition of an entity in Dubai. This operation must remain strictly confidential in order to ensure we have the advantage over our competitors”
Because of this (fake) acquisition, a bank transfer of $800,000 had to be made to pay for initial fees. The Netherlands team mad this payment.
There followed several more payment requests, sometimes supported by elements such as the signature of the CEO of Pathe as well as the signatures of the members of the board of shareholders.
All in all, more than $21 million in payments were made in this BEC attack. That’s about 10% of the annual revenue of the company.
2. One million in payments for a French SME
There’s no need to be a larger, international corporation to be targeted!
An (anonymous) French SME from the region of Lyon, operating in the real estate sector, received an invoice payment request from one its suppliers.
The email was accompanied by invoices in the usual format, came from the supplier’s email account… and provided new bank account informations for the payment. The amount? About $1 million.
The accountant made the payments as usual before calling his supplier to inform him they had been made… and realizing that he had been the victim of a BEC attack. Fortunately - in this specific instance - a series of controls made by the Turkish bank to whom the payments had been sent allowed them to block the payment, enabling the SME to recuperate the funds.
Based on our conversations with CIOs and CISOs, this kind of attack targeting SMEs is extremely frequent.
There are 3 main consequences of a BEC attack for a company:
What’s especially concerning with BEC attacks is that even though it’s a cyberattack that leverages technological tools, there is no technological answer to it.
One could think that anti-spam software could help against the spoofing of email addresses (they are of course not relevant against attacks coming from a legitimate but compromised business email address) but hackers know how to beat them.
And yet, here are some potential answers to the threat of BEC attacks:
It’s therefore necessary to add additional layers to the defense strategy:
Finally, the live analysis of an emails threat level (beyond the elements taken into account by anti-spam filters) and the displaying of an alert message (when a legitimate email account provides bank information for example) can provide your teams with the information they need to make the correct decision.
Want to know more about how Mantra’s solution can help protect your company from the threat of Business Email Compromise attacks? Click here to book a meeting
What is OSINT (Open Source INtelligence) and how do hackers use it for their phishing attacks?
Who are Initial Access Brokers and what do they do? What are some of their techniques, and how can you protect your company against them?
Here are 10 must-haves for any training to be effective at lastingly changing users' behavior with regard to phishing attacks.