Why the fast-mutating BEC fraud is as common and costly as ever

Neil Meikle
August 2020
Part one in our series on business email compromise

Business email compromise (BEC) is a widespread and costly type of cyber attack that has surged in recent years. In this regular, bite-sized series, we look at the scale of the problem, the rapid rise in account takeover attacks on the Microsoft 365 platform, how investigations of these attacks are changing, and what all of this means to businesses, their cyber insurers and their legal representatives.

The next article in this series is Easy prey: BEC fraud at an industrial scale.

A damaging form of cybercrime

Business email compromise has been on the rise for many years, not just by the number of cases but also in terms of the costs. Research carried out in 2019 found that 29% of organisations being monitored had their Microsoft 365 accounts infiltrated, and earlier this year Hiscox’s fourth Cyber Readiness report placed it as the second most common type of breach at 21%, with viruses and worms at 23% and ransomware at 19%. The FBI's 2019 Internet Crime Report found it to be, on average, the most financially costly category of cyber attack (with losses of $676 million in 2017 rising to $1.7 billion in 2019). As a recent example, a fraudster was sentenced to five years in prison for a BEC scam that extracted $23 million from Google in 2013 and $98 million from Facebook in 2015. As well as the direct costs of these frauds from the fund transfers, organisations and their insurers often need to contend with the additional costs of forensic investigations and eDiscovery, and the costs of notifying data privacy regulators that a data breach has occurred.

How does it work?

BEC is a category of fraud that was initially best known for the CEO impersonation scheme. Here’s how it works. First the threat actor carries out some initial reconnaissance from public sources, building an understanding of the individuals they are targeting such as company executives. Next, they send an email to their primary target purporting to be from an executive, which according to a study of 3,000 attacks is the CEO in the majority of cases (42.9%). The message looks legitimate to the recipient, often making use of email spoofing or minor variations of a legitimate address, and the request for payment is plausible and is often accompanied by an element of time pressure.

More recently, these relatively low tech attacks have evolved into a much broader set of scams. Cybercriminals can use the same techniques to target an organisation’s supply chain, payroll process, or trusted third parties such as legal representatives. But things really get interesting when cybercriminals mount an attack with the aim of taking control of an email account and then impersonating the owner, using their identity to carry out various kinds of fraudulent activity. Once a threat actor has control of an account, there is a lot they can do with the mailbox and the data that is available to them. As well as facilitating fraudulent transactions, they can send malicious and spam emails (potentially primed with malware) or carry out reconnaissance of the business before mounting a more sophisticated attack. They can download the files stored on cloud storage services such as OneDrive as well as the user’s entire mailbox, and then extract personal data and confidential corporate information (which can be used for identity theft, intellectual property theft or fraud). The threat actor also has the ability to reset passwords of any of the connected accounts that are registered to the email address, taking full control of those as well.

How do threat actors execute these account takeover attacks (also referred to as ATO and email hijacking)? We’ve already touched on email spoofing and social engineering, but threat actors have an array of other techniques at their disposal including phishing emails, keystroke logging using malware, brute force attacks, and using leaked account credentials from data breaches – and if any one of these is successful, the reputational and financial damage can be severe.

Pivoting to the cloud

The COVID-19 pandemic has presented cyber criminals with new opportunities for carrying out BEC fraud. Take for example the FBI’s warning in mid-April that scammers were using familiar BEC techniques in the context of the procurement of personal protective equipment and medical equipment. But more significantly, the unprecedented move to remote working driven by the COVID-19 pandemic has created a greater reliance than ever on cloud services, accelerating a trend that was already well advanced. As businesses have migrated from on-premise email to cloud platforms, there has been a significant change in the behaviour of threat actors.

Microsoft 365 (previously known as Office 365) is the target of the vast majority of account takeover attacks. But why are threat actors singling it out? First, it’s a very popular platform – a 2019 report calculated an adoption rate of 79%, based on a sample of approximately 138,000 companies. That presents criminal groups with a seemingly never ending list of potential victims for to target. Second, it has become a very lucrative target to the discerning cyber criminal because many organisations aren’t getting the cyber security basics right, which we’ll delve into (in detail) in a future article.

Coming up next

In the next part of this series, we explore why every organisation with a presence on Microsoft 365 should care about account takeover attempts. We’ll run through some of the most shocking statistics, including the fact that every month 0.5% of Microsoft 365’s enterprise accounts are compromised.

Find out more

Asceris’ business email compromise investigations combine the hands-on experience of our incident response specialists with our custom-built technology, enabling our customers and their insurers to respond quickly and with confidence. Our services leverage extensive automation, advanced analytics, automatic risk scoring, best in class IP address geolocation, external data feeds and intuitive reports, enabling us to uncover evidence rapidly from a wide range of data sources.

If you are the target of an active business email compromise attack, please request emergency assistance immediately.

Asceris offers a proactive risk assessment for Microsoft 365 environments to our cyber insurance partners and their customers. Our report presents environment-level risks and user-level risks that are based on our experience of responding to Microsoft 365 business email compromise incidents.

To find out more about any of our services, please contact us. To start a conversation or to report any errors or omissions, please feel free to contact the author directly.

Neil Meikle
LinkedInenvelope by Bluetip Design from the Noun Project
Neil is Asceris' Chief Technology Officer. Over the last 19 years, he has delivered a variety of large multi-jurisdictional investigations and has spoken frequently at conferences on technology-related subjects. He maintains deep hands-on expertise in a wide range of technical subjects including digital forensics, cyber incident response, forensic data analytics, machine learning and artificial intelligence.

About Asceris

Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.

Follow us on LinkedIn or subscribe to our RSS feed to make sure you don’t miss our next article.

Other recent insights