Highlights:
- Avanan a Check Point Company sees a spike in emails impersonating legitimate firms and services in the past 2 months of February and March 2023
- PayPal and Google are the most impersonated services in these attacks
- Users are advised to remain cautious and be aware of links within any email, including those coming from known vendors and services
Email is the leading deliverer of malware
In our latest 2023 cyber security report, we reported that the proportion of email-delivered-attacks (compared to web based attacks) has increased, reaching a staggering record of 86% of all file based in-the-wild attacks. Data shows an increase in the utilization of various types of archive file formats, as threat-actors attempt to conceal malicious payloads.
Business email compromise (BEC) is a specific type of phishing attack, a spear phishing attack to be precise, with the objective being to trick employees into taking harmful actions, typically sending money to the attacker. BEC is one of the most damaging and expensive types of phishing attacks in existence. While ransomware tends to attract more notoriety, the FBI reported that BEC-related scams totaled $2.7billion in 2022, compared to just $34 million for ransomware. Meanwhile in Australia, the impact of BEC scams on victims is significant, with financial losses totaling more than $79 million in 2021. This lead to the creation of the BEC Taskforce in January 2020, which is aimed at responding to these growing threats.
The sophistication of BEC criminal actors and their ever- evolving tactics has increased over time. BEC actors have targeted large and small companies and organizations in every U.S. state and more than 150 countries around the world.
BEC Evolved… Again
The origins of BEC attacks, which became very popular around 2020, saw emails supposedly originating from senior executives in a firm make legitimate financial requests such as payments for services or vouchers. The scam relies heavily on the fact the email appears to be genuine and from someone in a position of power, which would not typically raise suspicions for the recipient. The most common goal of a BEC attack is to convince the target to send money to the attacker while believing that they are performing a legitimate, authorized business transaction.
Later on, attacks shifted to a method in which the attacker compromises an account, belonging to an organization or one of his partner’s organization, and uses it to insert themselves into legitimate email threads, responding as if they were employees. Such threads usually involve invoices, to which the attacker tweaks the bank information and attempts to route the funds into a different account. Due to the content of the emails, these scams are often more frequent at the end of the month or a financial quarter, when business transactions are most likely to happen.
These days, our researchers observe a concerning spike in what looks like another progression of such attacks – BEC Firm Impersonation, or Phishing Scams 3.0. In the past 2 months of February and March, our researchers have seen a total of 33,817 email attacks impersonating legitimate, popular firms and services.
It is important to note that there is nothing malicious with these popular sites, nor is there a vulnerability. Instead, hackers are using these services’ legitimacy to gain entry into the inbox.
In this method, the attackers are using actual legitimate services to carry their attack. In such scams, the victim receives an email from a totally legitimate service (e.g. PayPal, Google Docs) which will include a link to a malicious site.
Email Examples
Does this type of email look familiar? It is a legitimate email. Here, the hacker has added a comment in Google Sheets. All the hacker has to do is create a free Google account. Then, they can create a Google sheet, and mention the intended target. The recipient gets an email notification.
To the end-user, this is a fairly typical email, especially if they use Google Workspace. (And even if they don’t it may appear legitimate as many organizations use Google Workspace and Microsoft 365).
Here is another example, this time using Google Docs.
This comes from a genuine sender–Google. The URL, which is a script.google.com URL, is also legitimate upon the first scan. That is because that domain is legitimate.
However, when you click on it, it gets redirected to a fake cryptocurrency site. These fake cryptocurrency sites work in a few ways. They can be straight phishing sites, where credentials will be stolen. Or there is a variety of other options, whether it is straight theft or crypto mining.
In all examples recorded, the email address from which the email was sent looked perfectly legitimate and contained the “correct” addresses, which makes detection and identification much harder for the average user receiving them.
How to Protect Against BEC Attacks
A successful BEC attack can be extremely costly and damaging to an organization. However, these attacks can be defeated by taking a few simple email security precautions, including:
- Anti-Phishing Protections: Since BEC emails are a type of phishing, deploying anti-phishing solutions are essential to protecting against them. An anti-phishing solution should be capable of identifying the red flags of BEC emails (like reply-to addresses that do not match sender addresses) and use machine learning to analyze email language for indications of an attack.
- Employee Education: BEC attacks target an organization’s employees, making email security awareness training vital for cybersecurity. Training employees on how to identify and respond to a BEC attack is essential to minimizing the threat of this form of phishing.
- Separation of Duties: BEC attacks try to trick employees into taking a high-risk action (like sending money or sensitive information) without verifying the request. Implementing policies for these actions that requires independent verification from a second employee can help to decrease the probability of a successful attack.
- Labeling External Emails: BEC attacks commonly try to impersonate internal email addresses using domain spoofing or lookalike domains. Configuring email programs to label emails coming from outside of the company as external can help to defeat this tactic.
Check Point Harmony Email & Collaboration provides protection against BEC attacks and data loss prevention. To see Harmony Email & Collaboration in action, you’re welcome to schedule a free demo.