Early detection crucial in stopping BEC scams

Avoiding a costly social engineering attack often requires employees to spot suspicious emails before threat actors request sensitive information or access.

Cofense Intelligence published new research Thursday that showed most business email compromise (BEC) scams can be thwarted in their initial stages when the attackers are not asking for money or a transfer of funds. The cybersecurity vendor analyzed hundreds of BEC emails sent to customers during March and April, and engaged with the threat actors in approximately half the cases.

The company found that only 36% of attackers looking to conduct fraud attacks opened with a cordial greeting and request for cash, gift cards or confidential payment information. Most BEC scams, Cofense found, attempt to slowly build up trust over the course of multiple email exchanges with the target and ingratiate them with common phrases like "sorry to bother you."

"Once they realize they can get money out of you, they will do everything they can to drain you dry," Cofense principal threat advisor Ronnie Tokazowski told SearchSecurity. "For many of the scammers, this becomes a literal hustle, where they will quickly pivot to other cash-out methods. Just because something starts as a wire transfer doesn't mean they won't ask you to send cryptocurrency, gift cards, a check, or use your personal Venmo or PayPal to wire them money."

A common trick amongst fraud groups, BEC scams rely entirely on social engineering rather than technical exploits. Hackers commonly pretend to be a trusted company executive or partner and instruct employees to redirect payments to a bank account controlled by the fraudster.

"For BEC threat actors, there are some benefits to hiding the details of their scheme at first," Cofense noted in its report, titled "BEC: Tactics and Trends of the Most Costly Email Threat."

"Getting replies from an intended victim may help the threat actor build rapport, identify other targets, and assess how much they can steal."

Using data from real-world attacks, Cofense says that its team found most BEC attackers opt for a soft opening and don't ask employees for any money outright. Rather, the criminals looked to elicit an emotional response from targets before giving instructions for the payout.

In one example, a would-be CEO pretended to be busy with a meeting and, in following messages, told the target to pay out staff a "bonus" in the form of gift cards. The emails got increasingly aggressive as the fraudsters grew impatient with the target.

For most of the scammers, the intent was to divert internal payroll. The attacker would instruct the target to redirect employee paychecks to alternate accounts. Second to that was gift card scams where attackers try to dupe the target into handing over money in the form of gift cards that can easily be laundered for cash.

While social engineering attacks can be difficult to screen, there is one dead giveaway admins can point out for end users: The attackers overwhelmingly use free webmail services rather than corporate accounts to conduct their attacks.

"Unlike the threat actors behind credential phishing and malware campaigns, BEC threat actors cannot simply send an email and hope that the targeted user opens it," said Cofense. "Since they desire two-way communication with the user, they need email accounts that can send and receive reliably, rather than send-only tools like web-based mass-mailing scripts."

The report noted that the FBI's Internet Crime Complaint Center (IC3) reported BEC scams cost businesses a whopping $43 billion between 2016 and 2021. Earlier this year, the IC3 issued an alert warning that BEC scams were spreading to virtual meetings.

Tokazowski told SearchSecurity that when it comes to stopping phishing and BEC attacks, training end users is key, and that training is best applied early on and in a low-stress situation.

"When it comes to business email compromise attacks, ensuring that processes and procedures have stop guards to check and verify that a request is legitimate is key," Tokazowski explained. "Having this conversation before a phishing attack happens is key, because everyone is stressed during a live incident, and very frequently things will get missed."