Breaking down business email compromise
Far from random, each business email compromise (BEC) attack represents a specific, tailored effort to target specific industries, professions, and individuals to maximize the chance of cybercriminals accessing information and money.
BEC attacks comprise two key phases.
Phase one begins with unauthorized access—which can happen through phishing, malicious applications, imposter domains, or cybercrime as a service (CaaS) syndicates offering credentials to the highest bidder—followed by a period of monitoring.
During this time, cybercriminals are acquiring the knowledge they’ll need for phase two of the BEC attack: fraud. They are reading your email. They’re looking at your trusted network. They’re looking for when money transfers from accounts.
Matt Lundy of Microsoft Threat Intelligence explains, “Once a cybercriminal gains access to an inbox of a target, they’ll gain access to all their correspondence. They’ll know who you’re speaking with, who you regularly correspond with—they’ll know your communication style.”
Once cybercriminals know enough about a target to tell a credible story, they’ll use that information to gain access or money.
“The social engineering deployed by these cybercriminals is very sophisticated,” Lundy continues. It’s intended and designed to fool people.”
The tools and services cybercriminals procure from dark web markets to levy their attacks are sophisticated too.
“The folks doing the fraud phase of the BEC attack are not necessarily the folks that are doing the phishing phase of the attack,” Lundy explains. “One of the reasons why CaaS is such an evolving and thorny problem is it allows criminals to scale.”
BEC attacks remain a challenge as cybercriminals continue to evolve their techniques and tactics to avoid the defenses that are put in place by organizations. Security researchers also expect to see specific cybercriminal reconnaissance into industries where large wire transfers are commonplace.
The public contracting sector will likely continue to be a rich source of material for BEC specialists due to the public nature of the bidding process. Lundy explains how cybercriminals can often create an effective social engineering campaign with information that’s readily available with a basic internet search.
“They’re specifically targeting individuals who have the power to authorize money transfers. These big BEC attacks that result in the loss of millions of dollars don’t happen because of a random email. It’s not an advanced fee fraud type cybercrime. It’s very well thought out. It’s very specific and has a particular design in mind. And it will often be aided and facilitated by different elements of the cybercrime as a service network, particularly the specific credentials.”
Follow Microsoft Security