A Chilling Campfire Tale of Business Email Compromise (How BEC Schemes Work - In Detail)
It’s a gloomy night in the woods and we’ve gathered around the fire to share one of the scariest stories we know. What goes bump in the night? (And is it a threat actor?) A nightmare could be lurking in your office, behind computer screens, waiting for your return.
We’ll be following the tale of Craig from finance and his company. Through his experience with a business email compromise attack and the lessons learned, you might stop the same horrors from happening to your clients or your own business.
Forget Bloody Mary. Chant “B-E-C” three times in the mirror, and begin your journey.
What Is a Business Email Compromise Attack?
Before we get rolling, a definition is in order. At its simplest, Business Email Compromise (BEC) is an attack that involves using the medium of email to trick an individual into giving up something of value. The key is individual: these are targeted, intentional attempts that leverage either social engineering tactics, like impersonating an executive, or stolen credentials — or both — to increase the chance of success.
(Side note: the better-known term phishing has overlap with BEC. Phishing attempts are often deployed with the intention of gaining information or access that will ultimately enable a BEC attack. In some cases BEC is carried out entirely through phishing, particularly the targeted form known as “spear phishing.” But it is possible for an attacker to execute BEC attacks with stolen credentials alone, and likewise it’s possible to use phishing to launch other forms of attack, such as ransomware. So the terms aren’t fully synonymous.)
For threat actors, a business email account — either legitimate or seemingly legitimate — acts as a golden ticket to sway a victim to believe they’re working with someone they trust. Typically, their main goal is financial gain through the transfers of funds to an attacker-controlled bank account. Large organizations like Toyota, Google, and even the government of Puerto Rico have fallen prey. The FBI’s Internet Crime Support Center reports that in 2020 losses from BEC were over $1.8 billion.
How does it happen, why do we keep falling for it, and what are the measures to prevent it? For answers, read our cautionary tale below.
Set the Scene; Sound the Alarms
The fire is crackling, and we’re holding a flashlight underneath our chins to set the mood.
Our victim is Craig: he loves his dog, tolerates his roommate, and generally likes working as an associate in the finance department at an engineering consulting firm. He’s been there since he graduated college two years ago, so he’s comfortable with the routine of things. He knows their clients — who pays on time, and who doesn’t — and the best way to reach them (and actually get a prompt response).
So, when a regular client, Hornbill Technology, doesn’t pay their invoice for the second month in a row, Craig doesn’t fret. This is normal. They’ve been late before, but they always catch up. He knows better than to bother them, since they are a long-term client and he wants to keep a good relationship.
But then a third month without a payment — that’s concerning. So, he calls them and expects Amy, who handles their administrative side of things, to tell him she’ll sort it out.
His stomach drops, however, when she explains that she’s completed the last three invoices following instructions Craig had sent to route the payments to the engineering firm’s new bank account. Craig, who momentarily forgets how to breathe, admits to her that they have not switched banks, and he hadn’t knowingly sent any new payment instructions.
🔎 Cybersecurity Clue:
If there was a policy in place between Craig’s company and Amy’s — that dictated that any changes in payment information required a phone call to confirm this information — we may have avoided the transfer of funds in the first place. Out of Band Authentication (OOBA) can save you!
Craig is panicked: it’s Friday, and his weekend is ruined. He can’t stop revisiting what happened three months ago, which he thought nothing of at the time, when he received an email from his coworker requesting that he look over a document.
Readers, the email was not real. It looked real, but it was simply modeled after his businesses’ email domain. One letter in the middle of a word was out of place — something you’d never see unless you looked closely. On top of that, Craig had replied from his phone’s email application, which hid the sender’s email address altogether and simply displayed his coworker's full name. He had to enter his username and password to view the document, but once inside, there was nothing there. He assumed his coworker was just an airhead.
🔎 Cybersecurity Clue:
If you receive an email that requests you click a link to enter your credentials, remain hyper aware of the sender’s information. A lone added hyphen in the business email domain could be the telltale sign that it’s a spoofing attempt.
Now, the threat actor had his username and password, giving him free rein to log in to Craig’s email and survey exactly what he does all day. They saw what invoices he sent to clients, how he spoke, even how he signed off his emails. (Cheers!)
Hornbill Technology was one of their highest-billed clients, so “Craig” — threat actor Craig — reached out to Amy to inform her that their bank had changed. Insert threat actor’s preferred bank account information here. From there, the threat actor set up email forwarding so the rest of their correspondence never hit Craig’s inbox and deleted his initial conversation with Amy.
The Investigation and Response
Fortunately, Craig lived to tell the tale (even if he lost a lot of sleep through the ordeal). What were the next steps?
- Forensic experts worked with the engineering firm to determine how the threat actor got inside their systems. The threat actor may have targeted Craig based off of his LinkedIn account, determining that he was probably a key employee for handling finances. Beyond that, a forensic team can also identify the depth of the attack. Was the threat actor moving laterally through your system once they had acquired Craig’s credentials?
- Both parties work with their bank:
- The engineering firm should look for any other suspicious activity.
- Hornbill Technology should contact their bank to see if they can recover any lost funds.
- Craig needs to reset his password on the hacked account, and all other accounts where he uses the same password.
- The engineering firm implements multi-factor authentication across the organization (more on that here) to add a much needed layer of protection.
- They also block all emails associated with the hacker.
It starts with 5.25-inch floppy disks. Cue up Every Rose Has Its Thorn by Poison -- because it’s 1989. Computers aren’t a household necessity quite yet, the AIDS epidemic is ablaze, and a Harvard-taught evolutionary biologist, Dr. Joseph Popp, has mailed 20,000 copies of a computer-based questionnaire to the recent attendees of the World Health Organization AIDS conference.
A fresh face compared to other lines, cyber has taken many forms before — an easy add-on, a profitable afterthought, a tech-heavy nuisance — but was never a top priority. However, after headline-worthy ransomware attacks, data breaches, and serious losses for insurers, cyber insurance is getting the main character treatment.