BEC (also sometimes referred to as 'Email Account Compromise' or 'EAC') is a common, contemporary form of fraud – exploiting the high degree to which individuals and businesses have become reliant upon the use of email in the conduct of modern interactions. It can be categorised as a spear phishing attack – though it can take a number of forms. In its most basic guise, a BEC attack is a social engineering attack that resembles a modern confidence trick, using spoofed emails and phone calls to build rapport with, or 'groom', a victim, before tricking them into making payments, providing information, or otherwise complying with the perpetrators demands. At the more advanced end of the spectrum, perpetrators can combine social engineering with malware to infiltrate networks and gain access to legitimate email threads, passwords, bank account and other information.
According to statistics released by the US Federal Bureau of Investigation (FBI) last month, there were 241,206 BEC attacks reported to the FBI Internet Crime Complaint Centre (IC3), law enforcement or reported in filings with financial institutions between June 2016 and December 2021. This led to global losses around the world of USD 43 billion over that time period. In July 2021, the Australian Federal Police (AFP) reported that BEC had cost Australian businesses more than $79 million over the past 12 months.
BEC attacks can cause significant financial loss to organisations. Publicly-known examples include:
- a subsidiary of Toyota who, in 2019, lost USD 37m when attackers convinced an executive in the finance department to make a wire transfer;
- the Puerto Rico Industrial Development Company (part of the Government of Puerto Rico) which lost more than USD 2.6m in 2020; and
- One Treasure Island, a not-for-profit redeveloping Treasure Island in San Francisco Bay with affordable housing, who, in late 2020, lost USD 650,000 to attackers who had compromised its email systems.
What do they look like?
BEC attacks vary widely in their methods and approach. Some scenarios (based on actual events) are as follows:
- A major retailer's head office receives an email just before the Christmas period requesting immediate payment of an invoice to a supposed supplier based in Asia. The email includes a request for the payments to be made to a new bank account. The retailer's finance team checks and confirms that there are outstanding invoices for the supplier, and processes the payment immediately to the new account. When the team returns in January, they receive an email from the real supplier, asking when they can expect payment of their outstanding invoices – at which time the retailer realises it has fallen victim to a fraud.
- The local office in India of a major multinational corporation receives a phone call from someone claiming to be a senior executive at headquarters. They assert that they are on a business trip; are having trouble accessing their work systems; and urgently need access to contact and HR information for a team in the Australia business. They convince the person on the phone to email the data to an external email address. A few months later, the data is used to coordinate a BEC attack against the Australia office, with attackers using the information obtained, alongside public information, to spoof email addresses to resemble those used by the company; request payments associated with a purchase being made by the organisation; provide email approvals; and to provide funds transfer details. The payments are made – and the fraud is only detected when an employee in Australia telephones their manager to let them know they have actioned the request.
- A finance executive of a small-to-mid sized company in Australia receives an email allegedly from the company's CEO. The email indicates that they have been offered favourable terms on the purchase of new equipment from a favoured supplier – but the offer is time limited and the transaction needs to be completed that day. The email states that the CEO will be unavailable for the remainder of the week for personal reasons, and pushes for the transaction to be completed on the same day. The finance executive confirms internally that the CEO was due to be on medical leave from that day, and proceeds with the transaction. It isn't until later that week that the finance executive realises that the emails from the CEO are from outside the company, and that the attackers emails use very similar domain names to the legitimate ones.
In general, all of these attacks follow a similar process:
- Identification and scouting: The perpetrators identify potential targets, examining the information that is available to them online – building profiles of the organisation, its activities, executives and key staff members. They may search for social media accounts associated with identified individuals, identifying professional and personal movements that may help them to facilitate a fraud; and they may contact the company to try and solicit information about employees, transactions, suppliers or other relevant details.
- The attack: The perpetrators may deploy malicious software (malware) to infiltrate and gain access to the company systems – allowing them to gain access to data or email systems directly – inserting themselves as a 'man-in-the-middle' to email discussions, changing, sending and deleting emails. Less sophisticated attackers may move straight to contacting the identified victim – via email or phone call initially – building rapport; placing pressure on them; and otherwise exploiting human nature. The purpose of the attack is to convince the various parties that they are engaged in legitimate business transactions, and ultimately to fraudulently extract funds.
- The payment: The successful attack leads to funds being transferred to the account nominated by the perpetrator. These accounts are often in a foreign jurisdiction, or the money is moved quickly from an account in the same jurisdiction as the victim to one offshore. It is often moved across multiple jurisdictions to complicate the ability of the victim and authorities to pursue it.
Finally, some of these attacks are persistent. In other words, if the fraud has not been detected by the victim during these three steps, the perpetrators may continue to exploit the victims' systems, or continue their social engineering of victim employees, to obtain more funds and conduct further transactions.
What can I do to prevent BEC attacks?
Organisations and individuals can take a number of steps to mitigate against these sorts of attacks
Educate employees
By far the most important step in prevention of BEC attacks is ensuring that employees are aware that these types of fraud are happening, what the warning signs are and what their role is in protecting your systems and processes to help minimise the risk of a possible security breach or fraud. Make sure that employees know to look out for red flags such as an unexpected request to change bank or invoice details, urgent requests for payments, unexpected requests from senior executives to make payments and email addresses that don't seem correct. Encourage employees to escalate issues and report concerns via clear guidance and an established process – particularly where they feel that they are being pressured to make payments quickly, pushed to maintain secrecy around transactions, or being asked to ignore standing business processes and procedures.
Back up education with strong systems
Invest in appropriate technical security systems for your organisation, making sure that you have aligned with an appropriate framework and are comfortable that your security posture matches your risk and threat environment. Implement multi-factor authentication in relation to user access to business emails and systems. This is one of the most effective controls available to prevent unauthorised access. Ensure that you have implemented email verification on your systems to help detect fake emails – and flag external emails to help users identify emails that arrive from spoofed domains.
Always verify
If you have received an email or phone call requesting payments, noting a sensitive transaction or otherwise asking you to get involved in any form of exchange of funds or information then make sure to:
- carefully examine the email – does it purport to come from someone within your organisation, but display any information about being an 'external email'? Is there anything strange about the way it's written or expressed?
- review the email address – is the domain name actually correct, or are any letters replaced by numbers; it is spelt incorrectly; does the sender actually exist and is their name spelt the same way?
- contact the sender/caller or their superior – via independently obtained contact information. Ring them via the switchboard; or a phone number you have obtained from a separate directory – do not simply take contact details from inside the email or provided to you over the phone.
- challenge the caller or sender – especially if the perpetrators phone you, resist any attempts to pressure you. Stick to established processes in your organisation; request that they provide additional information/verification data; and do not be afraid to independently verify who is contacting you.
Be careful what information you share
Both as an organisation and an individual, it is important to consider what information is being shared. Efforts should be made to protect employee contact details, particularly for departments like HR and finance that are often targeted during frauds, and educate employees to do the same. Inappropriately shared information may help perpetrators to understand roles and responsibilities, guess answers to security questions, or know day-to-day movements, which can all be used to help facilitate BEC and social engineering frauds.
Be mindful of phishing attempts
It is increasingly common to receive phishing emails and SMS in our daily lives. Be mindful of these – do not follow the links, and do not fill in any forms that may pop-up if you do. Phishing messages increasingly claim to come from trusted sources such as government departments law enforcement, financial institutions, utility companies and logistics companies. Such organisations will not ask you to provide personal and payment information via unsolicited emails or SMS messages.
What if I've been a victim of a BEC?
If you believe that you've fallen victim to a BEC attack, you should take a number of immediate steps, as soon as you can:
- Try to stop payment: Contact your banking institution immediately if you have made a payment or sent banking details to a third party – they may be able to stop the payment, or liaise with other financial institutions to place a hold on a payment.
- Engage appropriate experts: You should engage relevant experts to ensure you understand any legal exposures or avenues that may be available to you; who can help guide you through your response; and who can conduct reviews of your systems for indications of compromise. Advisors can provide you with advice on steps that you can or should take to try and recover your information or funds, to mitigate the risks presented of further or future attacks, to understand how the situation has occurred and to try and prevent reoccurrence.
- Change your passwords and notify stakeholders: If user or email accounts have been compromised, ensure that passwords have been changed and accounts reset. Impacted individuals should be notified and consideration should be given to contacting external stakeholders and warning them of the situation. Other notification obligations (for example, to regulators) may need to be undertaken by law.
- Understand the jurisdictions: These attacks often cross jurisdictions quickly. Try to gather as much information as you can around what has happened, where you know parties involved to be and where you know payments may have been made from and received to. Be careful to separate out facts from assumptions.
- Report the incident to the relevant authorities: In addition to your reporting obligations at law, you should report the attack to other relevant authorities. If you are based in Australia, you should begin by reporting via ReportCyber, but the nature of these attacks may mean reporting to authorities in different jurisdictions, and liaising with multiple government agencies. This can help with stopping funds from reaching perpetrators and may give you the opportunity to recover the funds – but also enables authorities to understand patterns of attack and provide additional advice, information and guidance to organisations to prevent and respond to attacks.