Business email compromise (BEC) poses a serious threat to every organisation and worryingly, such attacks are getting both more sophisticated, and more financially damaging to the victims of what is also known as “whaling”.
That’s according to California-based cybersecurity firm Symantec, which has noticed a steady rise in the sophistication of such attacks, which typically marry phishing-style emails to executives, with a high degree of social engineering.
It warns that access to powerful machine learning tools mean an arsenal of audio and video manipulation tricks may soon also become part of such attacks, which are typically highly personalised to draw the attention of executives.
The financial impact is rising steadily, it found. (Symantec also pointed to the FBI’s Internet Crime Report, published earlier this year, found that BEC attacks cost business $1.3 billion in losses in 2018 – sharply up from $60 million five years earlier.)
Symantec researchers found that businesses received “an average of five BEC scam emails each month during the past 12 months. This means each business had a 17 percent chance of getting at least one BEC email per month. In the previous 12 months, an organization would have received an average of four BEC emails per month.”
US based firms are the most targeted by threat actors’ utilising BEC scams, as the US accounts for 39 percent of all BEC attacks, however the UK is not far behind gathering up 26 percent of BEC attacks. Surprisingly the EU nations Germany, Belgium and the Netherlands only account for seven percent of the attacks, combined.
Business Email Compromise
At its heart a BEC scam is part hack and part social engineering, to achieve the latter threat actors are constantly trying new keywords which are designed to panic or intrigue the recipient.
Symantec found that in the UK and US the word ‘Important’ is the most commonly used with over 32,000 recorded instances of its use. However, overall the most used keyword is ‘Transaction Request’ which shows just how much hackers rely on human anxiety with regards to financial matters.
These scams have been constantly evolving over the years as threat actors get access to cheaper tools such as video editing and machine learning programs or botnets. As the technology to alter or craft video and audio gets more sophisticate and cheaper there is no doubt that hackers will start to use these tool more and more.
Symantec warns: “A BEC scammer using ML/AI could target an organization’s senior financial executive or employee who has direct access to the CEO and who could authorize money transfers. When the employee tries to verify the request, the scammer might use audio featuring the CEO—such as earning calls, YouTube footage, TED talks, and other previous recordings—to fool the employee into believing it is indeed the CEO’s voice on the other end ordering the transfer.”
“The employee could then execute the request fully believing it was legitimate. While this is a scary prospect, future BEC scam scenarios may just play out this way.”