In a recent blog, we cited the Federal Bureau of Investigation (FBI) and its Internet Crime Complaint Center (IC3) latest 2022 report, which emphasized a steep and significant rise in Business Email Compromise (BEC) growth. The FBI documented victim’s adjusted losses reaching over $2.7 billion for the year. The FBI added that they had received 21,832 BEC complaints in 2022 and that the scams were often performed when a bad actor compromised legitimate business email accounts through social engineering or computer intrusion techniques to conduct the unauthorized transfers of funds.
In this blog, we’ll look at five types of BEC attacks mentioned by the FBI, including bogus fake invoice schemes, CEO fraud, account compromise, attorney impersonation, and data exfiltration. We’ll add some real attacks, and we’ll end with some solutions for preventing BEC attacks.
Bogus Fake Invoice Schemes
For fake invoice schemes, cybercriminals impersonate vendors requesting fund transfers for payments to an account owned by cybercriminals. In these scams, a cybercriminal often takes over the employee email accounts used to process invoice payments and fund transfers. They will then send out emails requesting payment for invoices that don’t exist.
A new fake invoice phishing scheme has surfaced just in time for the 2023 tax season where the threat actors are creating a free QuickBooks account and using it to send fake invoices, according to an article written by Edward Gately in Informa Tech. In this attack, “hackers send a fake invoice from a legitimate QuickBooks domain. This email comes directly from QuickBooks and has a QuickBooks email address. It will pass all standard email authentication checks, domain checks and more. There’s nothing inherently wrong with the text and no malicious links.” Our own CEO Patrick Harr notes in the article, “Hackers use SharePoint, OneDrive, Amazon Web Services (AWS), HubSpot, QuickBooks and PayPal to deliver attacks because they are coming from trusted domains, and this increases the likelihood they will bypass traditional email technology that relies on blocklist and domain reputation. Plus, it will look legitimate to employees with security training.”
Another BEC fake invoice attack was recently launched against a large technology company (name not shown for security reasons). The attackers, posed as executives, sent emails to employees of the company and asked them to wire money to a fraudulent account. The emails were convincing, and several employees wired money before the company realized what was occurring. The total loss from the attack was over $1 million.
The threat actors got away with the attack because they spoofed the email addresses of the company’s executives. This made it appear as if the emails were legitimate, and the employees were not suspicious. The attackers also used spear phishing to target specific individuals with emails that were tailored to their interests. This made it more likely that the employees would open the emails and fall for the scam.
With CEO fraud, the cybercriminal steals the email account of a CEO or c-suite executive and uses this to trick employees into giving up sensitive information or money. For example, the attacker might send an email to an employee asking them to wire money to a supplier, or to provide them with confidential information.
In Bleeping Computer, it was announced a couple of months ago that Europol busted a CEO Fraud gang that had stolen $40.3 million within a couple of days – moving the money through Europe, China, and eventually Israel where it was cashed out. The cybercriminals, who were eventually caught, impersonated CEOs to target employees working in their respective finance departments and tricked them into payments to bank accounts under the cybercriminal’s control.
Account compromise attacks are also known as Account Take Over (ATO) attacks. An ATO occurs when an employee’s account has been hacked and used to request payments using email contacts and sent from the legitimate email address. Then payments are sent to cybercriminal’s bank accounts instead of the actual vendor. In this compromise, the attacker gains access to an employee’s email account and then uses it to send out emails to other employees. The attacker might ask the employees to send money to a supplier, or to provide them with confidential information.
A few months ago, cybercriminals “drained” DraftKings accounts of $300 thousand using credential stuffing, according to an article in DarkReading written by Managing Editor Tara Seals. Credential-stuffing is a technique where login credentials gathered from earlier breaches are used in automated attacks on other sites. This leads to an ATO. Since people often use the same username and password from site to site, this type of credential-stuffing attack is successful about five percent of the time. According to the article, DraftKings rival FanDuel was also seeing more account takeover attempts against its customers.
In an attorney impersonation, cybercriminals impersonate a lawyer asking for fraudulent requests to gather confidential information. The attacker impersonates an attorney and sends emails to employees asking them to provide them with confidential information. The attacker might claim to be a client’s attorney who is involved in a legal dispute, and they might ask the employee to provide them with information such as financial records or passwords.
At the end of last year, a BEC cybercrime group impersonated global law firms to trick recipients into approving and paying overdue fake invoices. The threat actors first sent emails impersonating actual attorneys working at legitimate law firms and referenced the overdue payments. The group used email spoofing with email addresses hosted on domains that resembled real domains of the attorney firms, which added “legitimacy to the scams.” After the victims responded, the threat acting group replied with payment account details in PDF invoices, which included potentially altered versions of the legitimate invoices used by the impersonated attorneys. In 2022, the group was linked to 92 malicious domains of 19 law firms and debt collection agencies across the United States, U.K. and Australia.
Data exfiltration is also referred to as data theft by the FBI. In this type of attack, Human Resources or Accounts Payable employees are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives to use in future attacks. With this type of data theft, the threat actor gains access to an employee’s email account and then uses it to steal confidential information. The attacker might steal information such as financial records, customer lists, or intellectual property.
Toward the end of last year, The Hacker News Ravie Lakshmanan wrote that LastPass had disclosed a severe data breach, which allowed threat actors to access encrypted passwords. It turned out that a LastPass engineer’s personal computer was hacked and infected with a keylogger as part of a “sustained” cyberattack that exfiltrated sensitive data from the company’s Amazon AWS cloud storage servers. “The intrusion targeted the company’s infrastructure, resources, and the engineer for three months.” Intruders of the August 2022 breach accessed source code and proprietary technical information from the LastPass development environment through a single compromised employee account.
Preventing BEC Attacks and Fighting AI Cyberthreats With AI Cybersecurity
Business Email Compromise attacks can be extremely costly for businesses. As mentioned in the opening paragraph of this blog, the FBI reported that businesses lost over $2.7 billion to BEC attacks last year.
Cybercriminals are using generative AI – a type of artificial intelligence that can simulate conversations and the written word by doing the thinking faster than a Human – to produce a wide range of outputs, including text, images, music, and more for malicious BEC intent.
SlashNext fights AI cyberthreats with AI cybersecurity technology to beat these malicious threat actors. We’ve been developing natural-language generative AI technology for a year and a half in anticipation of these types of BEC threats.
Generative AI technologies can predict millions of new variants of the threats that might enter an organization, and SlashNext HumanAI™ is the only way to counteract these AI attacks to close the security gap and vulnerabilities created by this dangerous trend. SlashNext HumanAI adds augmented AI and behavioral contextualization to computer vision and natural language processing (NLP) to detect BEC in email and mobile with unprecedented predictability.
Schedule a Demo or Test Your Security Efficacy in Observability Mode
To see a personalized demo and learn how our product stops BEC, click here to schedule a demo or easily test the efficacy of your current email security with no impact to your existing email infrastructure using our 5-min setup Observability Mode.