Business email compromise (BEC) is surging, with recent figures showing the cyber attack method is more prevalent than ransomware. BEC-related financial losses spiked by 17% between December 2021 and 2022, according to Cloudflare’s 2023 Phishing Threats Report. The authors note that adversaries are increasingly leaning on the attack method to target organizations.
BEC is a form of phishing that sees attackers impersonate a firm’s CEO, vendors or customers in order to extort cash. It’s been around for years, but technology such as artificial intelligence (AI) is helping to make BEC attacks more convincing and sophisticated.
Voice deepfakes, which let attackers pose as trusted figures such as a CEO, are a growing concern and generative AI systems such as ChatGPT have become increasingly accessible. So what is BEC, why is it growing, and how can firms spot and mitigate attacks?
BEC vs phishing: How is it used in attacks?
In BEC attacks, an adversary alters a victim’s payment details or requests unauthorized transactions in the hope a victim will send money to their account. Del Heppenstall, partner and head of cyber at KPMG in the UK says the firm has observed some businesses losing “millions” to this type of attack.
Adam Pilton, senior cyber security consultant at CyberSmart, previously worked as a detective on the cyber crime team at Dorset Police. He cites the example of a BEC attack on a small business in the manufacturing industry, which received an invoice from a supplier.
“It looked identical to a genuine invoice that they had seen hundreds of times before and was relatively low in value – approximately £4,000 (approximately $4,900). The only difference was the bank account details had been changed from the genuine invoice template. This was not the company the recipient had dealt with hundreds of times before, but a criminal impersonating them.”
BEC scams often involve exploiting individuals in financial roles, says Joe Stewart, principal security researcher with eSentire’s security research team, the Threat Response Unit. “This subtle deception is marked by the modification of genuine business emails rather than mass phishing campaigns, which makes detection far more challenging.”
Put a flexible centralized log management solution at the center of your IT strategy
BEC doesn’t always necessitate sophisticated techniques, says Stewart. “Simple email manipulations can often suffice over the use of complex malware. In essence, the strength of BEC lies in its leverage of the human element, which is what makes it both effective and profitable.”
Once adversaries have stolen the money, it can be immediately siphoned away, says Alex Hinchliffe, threat intelligence analyst at Unit 42, Palo Alto Networks. “Compare this to ransomware attacks, where the cyber gang must put in a huge amount of extra energy to extort victims: BEC is a much more efficient operation.”
How long has BEC been a threat?
BEC has been around for many years. Although its origin is difficult to pinpoint, experts say scams targeting businesses and organizations have been around since the early days of email. The FBI started tracking “emerging financial cyber threats” in 2013, calling them “business email compromises”, says Matt Cooke, cyber security strategist at Proofpoint.
BEC attacks are difficult to detect because they don’t use malware or malicious URLs, which standard cyber defenses can catch, says Cooke. “Instead, they lean on impersonation and social engineering to deceive people into unwittingly engaging with the attacker.”
AI capabilities, especially tools such as ChatGPT, have lowered the bar for sophisticated BEC attacks, says David Warshavski, VP enterprise security at Sygnia. “Threat actors, especially those that are not fluent in the English language, can use ChatGPT-like tools to launch increasingly complex phishing campaigns. It is astonishingly easy to create such deepfakes with just internet access and a few bucks.”
He cites the example of an attack in which the voice of a CEO was faked using a publicly available voice generator tool that creates “avatars” for marketing campaigns. An audio message was sent to the CFO of the target company from an unknown number, but the attack was flagged . “Despite the fact that the fake voice highly resembled the original, the CFO was quick to realize something was wrong and immediately reached out to his CEO,” says Warshavski.
AI scammers can easily gather personal details from LinkedIn or company websites to make their fake emails seem more real. AI can also study how a person usually writes their emails and copy their style, says Stewart.
In the future, AI “will undoubtedly be used” to simplify the creation of fraudulent invoices and conduct reconnaissance on businesses and individual targets, says Pilton. “While deepfakes have already demonstrated the capacity to replicate voices and faces convincingly, AI's potential in analysing and mimicking communication patterns introduces a new dimension.”
At the same time, BEC attacks will become more “automated and scalable” through the use of AI, says Hinchliffe.
How to identify and mitigate BEC attacks
There are several steps businesses can take to protect themselves and mitigate BEC attacks. First, firms can study the emails they receive. “Look for slight changes in email addresses; check if payment details on invoices have mismatched fonts or point to unrelated business names,” says Stewart.
Meanwhile, monitor for suspicious email redirect rules that send certain emails to third-party systems, says Stewart. He also advises being wary of pressure tactics or discounts offered for immediate payment.
To help mitigate attacks, Will Richmond-Coggan, a litigator at national law firm Freeths advises adopting good password discipline, two-factor authentication (2FA) and “appropriate tools to guard against hacking of those accounts”.
Overall, he says the best defense is having robust policies in place. “Sometimes these safeguards will be time-consuming, so it is also important to instil a culture throughout the organization of understanding the risks BEC attacks can pose.”
Successful BEC depends on social engineering, so employee training “is a must”, says Hinchliffe. “Run some internal phishing awareness testing with supportive feedback on any slip-ups. Also, consider how training is tailored for your sales and finance functions. For example, training that ensures all wire transfer requests are validated using verified and established points of contact for suppliers, vendors, and partners.”
At the same time, perform regular checks of mail server configurations, employee mail settings and connection logs, says Hinchliffe.
There are tools that can detect AI-based attacks, he says, but at the same time firms can help thwart attacks by limiting their data exposure. “Reduce the amount of publicly available information about executives and company operations. The less data cyber criminals have to feed their AI, the less effective their impersonation attempts will be.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.