With all the recent focus on education and prevention of business email compromise (BEC) attacks, have the numbers gone down? Nope. In fact, the number of BEC attacks is significantly rising. 

As we learned in Part 1 of this series: The Evolution of BEC Phishing, the instances and the financial loss from BEC are growing every year–more than quadrupling from 2020 to 2021 with losses over $43 billion.

We also learned in our recently published Osterman Research whitepaper Defending the Enterprise: The Latest Trends and Tactics in BEC Attacks, organizations see the threat of BEC growing year on year and expect it to be twice as high as the threat of phishing in general.

Why is this happening? Let’s look at four (4) key drivers that are contributing to the rise and success of BEC attacks.

Success Breeds Success

Why is the number of BEC attacks rising so fast? The answer is simple—they work. A small taste of success is a huge driver to want more.

Imagine you’re fishing on a lake and getting a few bites, but the people fishing on the other side of the lake are pulling in large fish left and right, what do you do? You go fish on the other side of the lake! You inquire what kind of bait and lures they’re using. You evaluate their equipment. You note what kind of fish they’re catching. And you mimic everything you can to have the same success.

Similarly, fraudsters are part of a community. They share and brag about their conquests, while inquiring, watching, and adapting their attacks based on successes they see happening across the scamming community.

Motivation for continued and increased attacks is easy when hackers see even a little bit of success. They’re going to do whatever it takes to make the most money. And in the case of BEC scams, the lure of large transactions makes them very appealing. According to a 2021 FBI Report, successful BEC scams accounted for an average loss of more than $120,000 per incident.

According to the 2022 FBI Internet Crime Report (IC3), both complaints (21,832) and losses ($2.7 billion) from BEC increased compared to 2021. The average cost increased to $125,611 per incident. BEC represented 2.7% of complaints, and 26% of total crime losses.

Availability and Sophistication of BEC Tools

While the techniques utilized by fraudsters are becoming more and more sophisticated, the people launching the BEC attacks are often not particularly skilled or experienced. The tools have become so good that someone with little competence can launch elaborate attacks on a large scale.

Cyber-criminals heavily rely on phishing kits–widely available, ready-to-launch packages and services (some include technical support) that include essential tools such as:

• HTML templates, easily styled to match any corporate brand (style, images, social media, tone) with data entry forms and other tools
• Phishing scripts that direct all gathered data to the fraudster, with notations in the code where the attacker can enter their own details for where to send the stolen information. These scripts include authentication tokens and other resources to ensure the data can be quickly captured.
• Email and messaging templates, easily styled to match any corporate brand, style, and tone, along with features designed to bypass phishing software. These emails contain links to the fraudulent web page.
• Built-in tools to translate your fraudulent website in multiple languages
• Instructions for even the most novice users to fully implement an attack

If you’ve ever ordered IKEA furniture, you know how this works. You receive a package with all of the different pieces and tools. Just follow the basic instructions and you can put everything together in a short time.

There are even inexpensive phishing kits that are pre-designed to impersonate specific brands. You’ve probably seen these phishing emails, mimicking PayPal or Amazon, for example. And they cost less than you’d think. In 2021, many pre-designed kits were available for $50-$200 through the dark web and private Telegram channels. For a bit more money, fraudsters can purchase “phishing as a service”, where someone sets all of this up for you.

Easy Access to Data for Targeting & Credentials

At their core, BEC attacks are a form of phishing schemes—but not the typical “spray and pray” attacks. The ROI appeal of BEC has resulted in attackers moving toward more isolated, socially-engineered email attacks. 

As we’ve seen, credentials are readily available for purchase on the dark web. But hackers don’t even need to break out their (stolen) credit card to get the credentials needed to launch an attack, they can access the infamous Rockyou list with more than 8.4 billion entries for free. This process is further simplified due to the wealth of information about an organization and its employees/roles readily available on corporate websites, LinkedIn, and social media accounts:

• Hierarchy, including names and titles
• Vendors and Partners
• Clients
• Sponsors and Donors
• Legal Obligations
• Financial Information

Fraudsters have perfected their ability to take advantage of this information, while capitalizing on emotions and carelessness of the people they are targeting. 

It is common for fraudsters to target each industry based on what would appear as standard business processes. In one Real Estate industry incident we blogged about last September, for example, hackers used a financial template that is standard and familiar to all agents and inspectors to gather a wealth of sensitive documents and information. This was accomplished through a fraudulent link, which also enabled the fraudsters to steal login credentials. Once the hackers owned the agent/inspector accounts, they launched multiple BEC attacks.

ATO and BEC: A Brutal Cycle

Data breaches don’t always come from phishing attacks. They often start with credential stuffing attacks to gain direct access to an employee's Microsoft 365 or Google Workspace, a CRM account, or a Slack or Teams profile.

Once account credentials are identified, fraudsters are able to use that information to complete an Account Takeover (ATO), gaining full access and control of a legitimate business email account. Attackers then use this legitimate but compromised email account to commit BEC attacks in the form of internal phishing. The damage from these attacks compound as soon as the hacker starts using the compromised account to attack the business’s vendors and partners.  Even one or two compromised accounts within one organization make for easy vectors to successfully launch multiple BEC scams.

A successful attack on a business or ecommerce site often provides opportunity for wide-spread credential stuffing, as most people use the same username and password for all online accounts. These attacks typically occur multiple times before anyone notices. And the breached data is often still usable for several years.

BEC Attacks Remain a Significant Threat

While healthcare, manufacturing and financial institutions are the most heavily targeted, it really doesn’t matter how large or small your business is or what kind of work you do. Companies of all types and sizes are targets for BEC attacks.

Experts across the cybersecurity industry, and even the FBI, expect this trend to keep growing, emphasizing the importance of BEC prevention and protection. Let’s recap a few of the primary reasons why:

• Training - employee training alone isn’t enough. Even those that are trained continue to fail phishing tests at an alarming rate
• Availability of data - detailed, multi-layered corporate information readily available online makes it simple for hackers to narrow in on their targets
• Scalability - There are more techniques, tools, and methodologies available to attackers than ever before
• Ease of success - given the BEC tools available to hackers, it doesn’t take much skill, knowledge or training to be successful

There are a lot of solutions on the market that offer phishing protection, but only one combines AI and human insights into one platform to combat advanced phishing attacks like BEC, ATO, and VIP impersonation. Request a demo to learn more about how IRONSCALES protects enterprise organizations from advanced threats.