Not only are business email compromise attacks evolving, according to the FBI, but financial losses from BEC scams now make up more than 44% of all losses associated with cybercrime.
According to the FBI Internet Crime Complaint Center's 2018 Internet Crime Report released earlier this week, the IC3 received 20,373 business email compromise and email account compromise complaints, with estimated losses of over $1.2 billion in 2018, compared with 15,690 complaints and nearly $675 million in losses in 2017.
In 2018, IC3 received a total of 351,936 cybercrime complaints, with losses exceeding $2.7 billion.
"It underscores exactly how lucrative email fraud and account compromise have become," said Robert Holmes, vice president of email security at cybersecurity vendor Proofpoint, based in Sunnyvale, Calif. "If you consider a cybercriminal's ROI model, it is, 'What value can I extract out of a scam?' The value that they can extract from simply posing as an individual that you trust and asking for them to transfer funds is actually potentially monstrously large."
BEC attacks are a sweet spot for cybercriminals, Holmes said, because attackers are able to monetize the scam quickly.
Such scams are on the rise because they work, said Gartner analyst Peter Firstbrook. Attackers are finding easy access to cash, with little risk, he said.
In BEC scams, an attacker compromises legitimate business email accounts to conduct unauthorized transfers of funds.
"Virtually every company has accounts payable, which are potential targets for misdirection to a fraudster's bank account," Firstbrook said via email. "Attackers often infiltrate an email account and wait for large financial transactions like payments and then insert themselves in a legitimate email chain with fraudulent banking instructions to misdirect payments."
Reports about losses associated with BEC attacks reflect a larger trend across the cybersecurity landscape, Holmes said.
"As technical vulnerabilities become increasingly rare and, therefore, more expensive to acquire and use, cybercriminals have shifted their efforts to target individuals through email with highly personalized, socially engineered messages," Holmes said. "A single compromised account can provide an attacker with the ability to move laterally across an organization and send convincing emails masquerading as a real employee, orchestrating significant potential financial harm and data loss."
According to a Proofpoint report, in the final quarter of 2018, the company saw the growth of such attacks against targeted companies increase by 226% quarter on quarter. On average, companies targeted by BEC scams received about 120 fraudulent email messages in the fourth quarter of 2018, up from 36 in the third quarter of 2018, Proofpoint found.
Holmes said BEC scams are also shifting toward a "many-to-many" approach, where attackers spoof more identities within the organizations than just the C-level executives.
Fifty-nine percent of BEC scams followed this pattern in the fourth quarter of 2018, while 60% of companies saw their own domains spoofed by email fraud actors, Proofpoint found.
In 2018, the IC3 also received an increase in the number of BEC complaints requesting victims purchase gift cards for both personal and business use, according to the report. In a warning on gift card scams last fall, the U.S. Federal Trade Commission said cybercriminals and scammers have an affinity for gift cards, because such transactions are "almost impossible to trace."
Defending against business email compromise scams
Holmes said he worries that, at some point, attackers will work toward building a comprehensive understanding of the corporate supply chain, which will lead to significant increases in financial losses through BEC campaigns.
"For the supply chain of a multinational company, they have over thousands of people they are transacting with. That, to me, is a much bigger and dynamic threat surface," he said. "My worry is that the more breaches there are, the more readily that cybercriminals can conduct reconnaissance at scale, the more they share information on the dark web, the more complete a picture they will build of a company's supply chain."
It is critical that organizations prioritize a people-centric approach to security that protects all parties against phishing, email fraud, credential theft and brute-force attacks, Proofpoint's Holmes said.
Robert HolmesVice president of email security at Proofpoint
"The strongest methodology, which will drive the appropriate and layered defenses, is to turn the problem inside out and say, 'If I was a fraudster, who would I target within your organization?' And make this a people-centric security problem," Holmes said. "We also recommend layered defenses at the network edge, email gateway, in the cloud and endpoint, along with strong user education to provide the best defense against these types of attacks."
The best thing organizations can do is to educate employees who have responsibility for data and financial transactions that email is not a valid authentication method for high-risk financial transactions, Gartner's Firstbrook said.
He advised organizations to develop standard operating procedures for financial transactions such as bank account changes, accounts payable and data managers like human resources.
"Next, they should invest in good email security that includes good impersonation protection," he said. "The best solutions often use machine learning on email patterns and near-match name analysis and some level of content inspection in the message body."
The FBI advised enterprises to contact their financial institutions as soon as they identify a possible BEC attack in order to stop any fraudulent transactions. The FBI also recommended that victims file a detailed complaint with the IC3, so authorities can investigate the incidents and potentially reclaim stolen funds.