In recent years, the cyber threat landscape has witnessed a significant shift, with Business Email Compromise (BEC) attacks gaining prominence over ransomware. According to Cloudflare’s 2023 Phishing Threats Report, BEC-related financial losses saw a worrisome surge of 17% between December 2021 and 2022. This surge underscores the increasing preference of cyber adversaries for BEC as their attack method of choice.
The growing threat of BEC
BEC is a form of phishing that involves attackers impersonating entities such as a company’s CEO, vendors, or customers to manipulate victims into transferring funds to fraudulent accounts. While BEC has been around for years, recent technological advancements, including artificial intelligence (AI), have made these attacks more convincing and sophisticated.
One concerning development in BEC attacks is the emergence of voice deepfakes, enabling attackers to mimic trusted figures like CEOs. Generative AI systems like ChatGPT have become readily accessible, further fueling the evolution of BEC attacks.
BEC attacks typically involve adversaries altering payment details or initiating unauthorized transactions, tricking victims into transferring money to the attackers’ accounts. Del Heppenstall, Partner and Head of Cyber at KPMG in the UK, has reported businesses losing millions of dollars to these attacks.
One example cited by Adam Pilton, Senior Cybersecurity Consultant at CyberSmart, highlights how BEC attacks can be deceptively simple. A small manufacturing business received an invoice that appeared identical to past invoices but with altered bank account details. The recipient unknowingly transferred funds to a criminal impersonating the supplier.
BEC attacks often exploit individuals in financial roles, making them particularly challenging to detect. Joe Stewart, Principal Security Researcher with eSentire’s Threat Response Unit, notes that BEC relies on subtle email manipulations rather than mass phishing campaigns, making detection more complex.
Efficiency of BEC attacks
What sets BEC apart from other cyber threats, such as ransomware, is its efficiency. Once adversaries gain access to funds, they can quickly divert the money, unlike ransomware attacks that require additional effort to extort victims.
Although BEC has been in existence for years, its exact origin is challenging to trace. The FBI began tracking these “business email compromises” in 2013, marking a significant rise in their prevalence. BEC attacks are difficult to detect because they rely on impersonation and social engineering rather than malware or malicious URLs, making them elusive to standard cybersecurity defenses.
The role of AI in BEC attacks
AI, particularly tools like ChatGPT, has lowered the barriers for conducting sophisticated BEC attacks. Threat actors, even those with limited English proficiency, can leverage ChatGPT-like tools to launch complex phishing campaigns. These tools can easily generate deepfakes of voices and faces, making it increasingly difficult to discern fraudulent communications from genuine ones. Attackers can also use AI to gather personal information from platforms like LinkedIn to craft convincing fake emails that mimic an individual’s writing style.
As AI capabilities continue to advance, experts anticipate its use in creating fraudulent invoices and conducting reconnaissance on potential targets. Additionally, AI will likely automate and scale BEC attacks, making them even more potent.
Businesses can take several steps to protect themselves and mitigate the risk of BEC attacks. They should scrutinize incoming emails for subtle changes in email addresses and discrepancies in payment details on invoices. Monitoring for suspicious email redirect rules and resisting pressure tactics for immediate payment is essential.
To bolster defense against BEC attacks, adopting good password practices, implementing two-factor authentication (2FA), and employing suitable cybersecurity tools are crucial. Developing robust policies and fostering a security-aware culture throughout the organization is equally important.
Employee training plays a significant role in combating BEC attacks. Conducting internal phishing awareness tests and ensuring that wire transfer requests are rigorously validated using verified points of contact can enhance an organization’s security posture. Regularly reviewing mail server configurations, employee mail settings, and connection logs can help detect and prevent BEC attacks.
Furthermore, limiting the exposure of executive and company information can reduce the effectiveness of AI-based impersonation attempts by cybercriminals. By minimizing publicly available data, businesses can thwart attackers’ efforts to gather information for fraudulent purposes.