SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Breaking down BEC – the costliest risk facing your organisation
Tue, 4th Oct 2022
FYI, this story is more than a year old

When it comes to direct financial costs, business email compromise (BEC) overshadows all other threats by some margin. 

According to the Australian Cyber Security Centre’s Annual Cyber Threat Report 2020-21, BEC cost Australian organisations AUD$81 million during a twelve month period. Concerningly, an analysis conducted by Proofpoint revealed more than three quarters of ASX-200 companies are failing to implement basic email protection – exposing employees, customers and partners to higher risks of email fraud. 

Despite this, BEC is often misunderstood, miscategorised and conflated with other threats. This can make it difficult to get a hand on the true scale of the issue and hamper defence strategies put in place to protect our organisations.  

BEC should not be used as general shorthand for an array of email threats. BEC refers to a type of phishing email targeted at businesses in an effort to defraud them. While every attack is unique, most share a distinct set of characteristics. The more we know about them, the better we can identify, classify and ultimately keep it at bay.

Every BEC attack involves a layer of deception. Email scammers use a range of techniques, from compromising legitimate email accounts to spoofing the domains of suppliers and other third parties. These email addresses are then used to impersonate trusted contacts and socially engineer employees into carrying out an action. 

Precisely what that action is will depend on the style of the attack, though most will involve some sort of financial transaction. To help your organisation prepare for all manner of threats, below is a breakdown of the most common attack themes, along with our guidance on keeping BEC beyond your perimeter. 

Invoice fraud

Invoice fraud occurs when a threat actor deceives an organisation into paying for something they did not purchase or by redirecting a legitimate payment into the hands of cybercriminals. As business to business transactions can be large and requested to a deadline, this type of fraud is both incredibly common and incredibly costly. 

There are two standard methods to an invoice fraud attack. Cybercriminals will either spoof the email address of a supplier to request payment of funds or compromise a legitimate supplier account and amend payment information. 

In some cases, invoice fraudsters will hijack legitimate email threads between an organisation and a supplier, observing and mimicking tone to inject BEC into an active conversation. With employees completely unaware that they are dealing with an imposter, invoice fraud is often not detected until goods or payments fail to arrive with legitimate recipients. By this time, funds are long gone. 

Payroll redirects 

Also known as payroll diversions, payroll redirects are among the simplest and most effective BEC techniques. Here, the grift is to trick an organisation into rerouting employee wages to the attacker’s account. 

In most cases, payroll redirect attacks are sent via free email services such as Gmail, with the domain name spoofed to be similar to the employee in question. Email is then sent from these addresses requesting a change to bank details. 

With payment details changed, wages go into the attacker’s account, and, once again, alarm bells are unlikely to ring until the rightful recipient fails to receive their funds. 

Advance fee fraud

Advance fee fraud is one of the oldest types of email con. Often misleadingly referred to as Nigerian Prince scams, these attacks have gained something of a comical reputation due to the more outlandish iterations in recent years. However, the consequences of falling victim to this threat are anything but funny. 

Here, the threat actor asks the potential victim for a small amount of money in advance of a bigger pay-out later. The initial payment is presented as helping unlock the much larger windfall, which is often claimed to be inheritance or lottery winnings. 

The criminals behind these attacks have been known to claim to be descendants of royalty or part of a government organisation. More recently, threat actors have themed lures around COVID-19 to elicit responses from pandemic-fatigued victims. Most advance fee fraud email is sent via spoofed and lookalike domains. 

Lure and task emails 

This method of attack is a little different in that it is benign on its own but often acts as a gateway to other threats on this list. While the ultimate goal is usually financial, the initial aim of a lure and task email is to get the victim’s attention and gauge their propensity to being scammed. 

Emails are mostly sent from spoofed domain names, with perpetrators posing as a trusted contact of the recipient. Messages are usually short and direct, such as “Are you available?” or “I need a quick favour”. If the recipient responds in a way that suggests they have taken the bait, threat actors will usually go on to request money under the guise of an emergency or similar time-sensitive situation. 

Lure and task-themed email fraud is incredibly widespread, accounting for more than half of all email fraud threats in 2021. 

Winning the battle against BEC

The attacks covered here are among the hardest to detect and defend against. They are designed to deviously slide into our day to day business with little force or fanfare and are often not spotted until long after the con is complete. 

For this reason, traditional perimeter-focused cyber security tools and gateways alone are not adequate protection. Like most modern cyber threats, BEC is a direct attack on your people, not your technology. Stopping them, therefore, requires a people-centric defence. 

Implementing the Essential Eight framework and putting controls in place to monitor network access, authenticate domains and flag suspicious activity is a good start. This should be coupled with comprehensive email protection designed to analyse and filter malicious messages before they hit the inbox. Processes to verify any changes to financial transactions are also a must, with requests verified via multiple factors and never solely by email. 

Most of all, however, your people must understand the threat they are facing. This means implementing a comprehensive, ongoing and adaptive security awareness training programme. The more aware your users are of the prevalence and potential consequences of BEC, the less likely they are to fall into the many traps laid by tenacious and opportunistic criminals. 

Proofpoint’s 2022 State of the Phish Report revealed 90% of Australian businesses faced BEC, phishing and email-based ransomware attacks in 2021. With the right tools and education, you can turn your users into a solid last line of defence against cyber-attacks. And with the threat of BEC continuing to rise, it’s a line of defence that will be sorely needed.