At its core, business email compromise is an adaptation of social engineering, executed to disrupt an individual’s routine. Someone can say they’re your company’s supplier, talk like one and send emails from a previously used email address and not be your supplier. Usually, BEC attacks are carried out to steal money from businesses, but now cybercriminals are going the extra mile to design advanced BEC strategies for invading and spoofing data and other assets from companies of all sizes.
How BEC Aids Data Theft Efforts
Conventionally, BEC actors used keyloggers to spoof account information and data from target systems. However, executable files inside attachments will be flagged by most email systems as there’s a good chance the attachment contains malware. Hence, hackers have transitioned into the new domain of BEC emails where they impersonate a senior person and use psychological techniques to get information from their target. The most crowded rung comprises adversaries who are sending out legit-looking emails to a broad swathe of personnel in anticipation of catching them off guard. The emails are more sophisticated than the Nigerian-entrepreneur-seeking-a-loan scams, and their goal isn’t always to extract funds, but rather information and data that can be sold on the black market. Fraudsters will do their research on a target organization, scour compromised accounts, examine the potential victim’s routine on social media and read recent company news. With all the necessary information at their fingertips, imposters then establish a way to access a critical layer of information about businesses and their executives in a way that appears convincing and is challenging to detect. In addition to imitating legit email messages, adversaries use tried-and-tested psychological techniques. They capitalize on the eagerness of employees to please higher management, demanding secrecy and even going as far as promising a promotion. To escape suspicion, fraudsters ask employees to carry out a task that a victim does typically every day as part of his/her job. For instance, an adversary with access to a chief executive’s email may ask some personnel to remind him of his password, as he is on vacation and locked out of the corporate account. The fraudster may also send a highly confidential data request (often accompanied by extortion), and ask the employee to keep it a secret. Common psychological tricks to gain the victim’s trust include:
Integrating humor: Witty language can be used to make the recipient feel at ease. Learning the business lingo: Instead of guesswork, hackers learn the language of the organization, or how people talk to each other. Business lingo enables them to act like they belong in the company and have nothing to hide. Simulating trust: It takes time to gain a person’s confidence, so adversaries don’t attempt to get their targets to trust them. Instead, they strive to make the targets think that they’re believing them and take advantage of rapport.
By playing mind games with their targets, hackers can trick them into giving away confidential or personally identifiable information. Also, the emails used in BEC aren’t mass emails, so they escape the spam filter on most occasions.
Case in Point: Form W-2 Data Thefts
FBI’s alert in February 2018 revealed a significant rise in the number of firms that were targeted by BEC actors in an attempt to gain W-2 data. The hacker might impersonate someone from the senior management of the victim’s company and request a staff member to email them W-2 tax form data of personnel. The data contained in W-2 forms is of tremendous value to fraudsters as a single record reveals a staffer’s address, name, social security number and income. It can be sold on underground websites, or be used to file illicit returns. Several high-profile companies have experienced the wrath of W-2 related BEC attacks, including Seagate and Snapchat after adversaries lured employees into giving away W-2 tax information. Also, BEC actors aren’t confined to a particular sector of the economy. They simultaneously carry out attacks on a wide range of industries to enhance their chances of success. For instance, the education sector was targeted by fraudsters which led to the exposure of W-2 information of 3,000 staffers at Tidewater Community College. A similar email that impersonated Raymond Burse, President at Kentucky State University, was sent to one of the employees, prompting them to share a list of students and personnel along with W-2 information of 2015. The combination of value and simplicity is ensuring BEC continues to be one of the most popular attack methods, especially for adversaries who lack the knowledge and skills to design more sophisticated schemes.
Conclusion
The best course of action that organizations could take is cross-checking email-based requests for sharing of sensitive data. Teach employees to ask a few questions from the person who made the request or request a meeting in person. Also, staff members should review the language of such emails diligently. Compare the tone used in the past with current correspondence. Is the email written in the third person while the past few emails were addressed in the second person? Does the message try to pressure the personnel? Watch out for these red flags to avoid being a victim of BEC-related data theft.