Fraudulent money transfers are top aim of business email compromise

Tricking recipients into transferring money into accounts controlled by cyber criminals is the top objective of business email compromise (BEC) attacks, a study shows.

The second most popular objective is to get the recipient to click on a malicious link aimed at stealing information or spreading malware, according to an analysis of more than 3,000 BEC attacks by Barracuda Networks.

BEC attacks are also known as whaling or CEO fraud because attackers typically compromise the email accounts of CEOs and other top executives so those accounts can be used to send messages to more junior staff members, tricking them into taking some action by impersonating the email account holder.

This tactic is extremely effective in manipulating employees as well as partners and customers of targeted businesses because few organisations have processes in place for checking or verifying instructions ostensibly received from a top executive in an email message sent from a genuine account.

In most cases, cyber criminals focus efforts on employees with access to company finances or payroll data and other personally identifiable information (PII).

The study shows that PII is another top target for BEC attackers, accounting for 12.2% of the attacks studied. Another 12.2% were aimed at establishing a rapport with recipients, which in most cases was followed up with a request for a money transfer.

The effectiveness of this attack method has made it extremely popular with cyber criminals, as is indicated by an 80% increase in the number of BEC attacks in the second quarter of 2018 compared with the first quarter, according to a recent report by email management firm Mimecast.

The Barracuda study reveals that in 46.9% of the cases studied, the objective was to trick employees into transferring company money into accounts controlled by the attackers, while in 40.1% of the cases, the aim was to trick them into clicking on a malicious link.

According to Barracuda, email is the top threat vector facing organisations due to the growing number of email-related threats, which include ransomware, banking trojans, phishing, social engineering, information-stealing malware and spam, as well as BEC attacks.

Four out of five organisations (80%) have faced an email-based cyber attack in the past year, a recent survey by Barracuda found, and 73% of IT security professionals polled said the frequency of such attacks is increasing.

“An important observation is that about 60% of BEC attacks do not involve a link,” said Asaf Cidon, vice-president of content security services at Barracuda Networks. “The attack is simply a plain text email intended to fool the recipient to commit a wire transfer or send sensitive information.

“These plain text emails are especially difficult for existing email security systems, because they are often sent from legitimate email accounts, tailored to each recipient, and do not contain any suspicious links,” Cidon wrote in a blog post.

Not surprisingly, the analysis shows that CEO email accounts are the most commonly impersonated (42.95%), followed by other C-level account holders (4.5%), including the CFO (2.2%), and people in the HR and finance departments (2.2%).

CFOs are among the top recipients of BEC emails, representing 16.9% of recipients in the attacks studied, on a par with the finance and HR departments in general and compared with 10.2% received by other C-level execs.

However, the analysis shows that most recipients of BEC emails are in more junior roles, with 53.7% holding roles outside the C-level, underlining the need for regular, ongoing user awareness training.  

“Employees should be regularly trained and tested to increase their security awareness of various targeted attacks,” said Cidon.

Barracuda also recommends that:

• Money transfers should never go out without an in-person conversation or phone call.
• Businesses should implement a training program that teaches users how to spot a BEC attack, and use that program to continually train and test them on updated techniques.
• Businesses deploy an email protection system to stop spear phishing and cyber fraud attacks automatically before they can lead to a successful BEC scam.