The U.S. Federal Bureau of Investigation (FBI) declared BEC 64x worse for a company than ransomware. It’s also very challenging for employees to spot. BEC is a chameleon that can take many forms and lacks the hallmarks that raise red flags in other cyberattacks. This list of the most common tools and techniques that cybercriminals use in a BEC operation can help shed some insight into what a BEC attack might look like and how to avoid falling into cybercriminal traps.

• Why is BEC the worst cyberattack threat that businesses face?

A business email compromise is a cyberattack that cybercriminals use to utilize seemingly legitimate (or freshly stolen) email accounts from one organization to trick employees of another business into giving them credentials, money, personal information, financial details, payments, credit card numbers or other sensitive data. More than 70% of companies experienced a BEC attack in 2021. This year, BEC has been gaining ground as law enforcement scrutiny drives cybercriminals who may typically pursue ransomware attacks toward BEC operations – BEC incidence more than doubled in Q2 2022, surging to 34% from 17% in Q1 2022.

BEC does massive financial damage to businesses. It can even drive a company out of business. The growth in the loss amounts that victimized businesses incur in the wake of a BEC disaster tells the tale of just how punishingly expensive a BEC incident can be. In the U.S., BEC schemes were the costliest cybercrimes reported to the FBI’s Internet Crime Complaint Center (IC3) in 2020 and 2021, and that’s not expected to change in 2022. Complainants to IC3 in 2021 suffered $2,395,953,296 in losses, 28% more than 2020’s record total of $1,866,642,107. Severe reputational harm is another potentially damaging consequence of BEC, impacting a company’s current and future relationships.

• Social engineering powers BEC:

Social engineering is a tactic used to compel people to do something even though it may appear to be against their best interests. It’s also the most likely fraud technique an employee will encounter during a BEC attack. Why? Because it works. Socially engineered cyberattacks are just under 80% effective. One reason is that social engineering is a commonly used technique in phishing, the origin point of most BEC attacks and the cyberattack that employees are exposed to most frequently. Bad actors often rely on a few social engineering techniques to sell their con and prop up their schemes.

Here are some examples of social engineering techniques that may be used in a BEC attack:

1. Presenting the lousy actor as a trusted contact or representative of a legitimate organization by providing context cues that make their communications seem authentic. Spoofing and conversation hijacking are commonly used in this scenario.
2. Scaring the victim by claiming that they or their company will experience a negative consequence if they don’t act on the demand made in the message immediately. A letter from a utility threatening to cut off service is an example of this tactic.
3. Convincing the victim that the lousy actor is an executive or some other influential person in the victim’s company creates a sense of urgency for the request, like claiming to be an executive who is out of town and needs the employee to send them money in an emergency.

• 3 Frequently Used BEC Tools:

While cybercriminals have a wide array of tools at their disposal when planning cyberattacks, the following tools and techniques are generally their go-to moves in a BEC attack:

1. Spear phishing:

Spear phishing is an attack that uses precise information to send sophisticated, malicious emails to individuals or organizations. It is a deliberate attempt by threat actors to steal sensitive information, such as account passwords or financial information, from a specific victim. Actors use social engineering techniques and often leverage social media to obtain personal information about the victim, such as their friends, birthplace, employer, frequently visited places and recent internet purchases, to foster authenticity in their lures by pretending to be somebody the target knows and trusts. This is a prevalent attack scenario that just under 70% of businesses endured in 2021.

2. Spoofing:

Spoofing is a technique attackers use to imitate people, companies and computers to trick people into giving up personal information to gain access to something valuable. This technique is a go-to for the bad guys. One-quarter of all branded emails companies receive are spoofed. Spoofing can apply to emails, phone calls and websites, or it can be more technical, such as IP, Address Resolution Protocol (ARP) or Domain Name System (DNS) spoofing. Often, spoofing is used during a cyberattack to disguise the source of attack traffic. Nearly 50% of BEC attacks spawn from copying someone’s identity in the display name of a bogus email message.

3. Conversation hijacking:

Conversation hijacking is a type of phishing attack where threat actors insert themselves into a pre-existing email conversation. Typically, conversation hijacking is preceded by the lousy actor gaining access to the victim’s email account. Sometimes, this technique is used by attackers who have gained access to the email account of someone the victim regularly converses with, like a colleague or a representative of another organization. Conversation hijacking relies on the victim’s false sense of security with emails that appear trustworthy because they draw upon a victim’s previous or ongoing correspondence. This type of BEC attack soared by an eye-popping 270% in 2021.

Source: ID Agent