Counting the cost of the biggest BEC attacks

Counting the cost of the biggest BEC attacks

Robust email protection is a necessity for protecting against one of the industry’s most sophisticated attack types; Business Email Compromise (BEC). Andrew Rose, Resident CISO, Proofpoint, offers some top tips to avoid falling victim to these types of attacks and highlights the importance of adding an extra layer of protection to your business to ensure cybersecurity is everyone’s responsibility.

Business Email Compromise (BEC) has fast become an expensive headache for organisations around the world. In 2020, BEC schemes cost victims over US$1.8 billion. That’s almost half of all cybercrime losses. 

BEC attacks are incredibly difficult to detect and deter by their very nature. They are designed to blend in and often do not include the traditional red flags of malicious URLs and payloads. Instead, BEC relies on a complex web of spoofing and social engineering techniques to trick unsuspecting users. 

In most cases, a threat actor poses as a trusted person or entity, be it a colleague, business partner or vendor. The attacker then sends an email directing the victim to carry out a required action, such as changing bank details on an invoice or making a wire transfer. 

But while most attacks follow this blueprint, each has its own identity. And with such lucrative rewards on offer, cybercriminals are only growing more sophisticated and tenacious in their attempts to separate unwitting businesses from their hard-earned cash. 

To highlight the scale of the issue, below is a rundown of some of the boldest recent BEC attacks, along with tips on avoiding a similar fate. 

German Health Authority

Healthcare has long been in the crosshairs of cybercriminals. Masses of sensitive data, a need for uninterrupted service and a vast network of files and systems make the industry an incredibly attractive target. 

Add to this the disruption caused by the pandemic, and keeping threat actors at bay is an almost impossible task, as one German healthcare authority knows only too well

During the height of the pandemic across Europe, four cybercriminals almost convinced the authority to transfer a €14.7 million payment for PPE into their clutches. However, they only managed to steal €2.4 million before Interpol and the German police shut down the con. 

The fraudsters created a clone of a legitimate supplier’s website, compromised email addresses and successfully took an order for 10 million face masks. 

After failing to deliver and making demands for extra fees, the health authority became suspicious and turned to law enforcement for help. Fortunately, the victim in this case was able to recover the funds, though that is far from the norm. 

Rijksmuseum Twenthe

Emboldened by their success in recent years, cybercriminals are not shy when it comes to seeking out big payoffs. To this end, we see BEC attackers setting their sights on banks, governments, large corporations and, in this instance, art dealers and museums trading in multi-million-dollar masterpieces

In January 2020, Rijksmuseum Twenthe, a national museum in the Netherlands, lost US$3.1 million to a cybercriminal posing as a famous London art dealer. The scammer interjected in legitimate communication between the museum and the dealer over the sale of John Constable’s 1824 painting, ‘View of Hampstead Heath. Child’s Hill, Harrow in the distance’.

By either compromising or spoofing the dealer’s email account, the scammer ‘updated’ the payment information before the sale closed. The painting was shipped and payment was made to the unscrupulous cybercriminal’s bank account in Hong Kong. 

As it stands, Rijksmuseum Twenthe is holding on to the painting pending the outcome of lawsuits and countersuits, with each party (some might say correctly) accusing the other of negligence. 

Cosmic Lynx

With such lucrative potential rewards on offer, it did not take long for sophisticated criminal gangs to appear on the BEC scene. One such, Cosmic Lynx, was officially uncovered in the summer of 2020, though cybersecurity researchers believe they were active for at least a year before. 

The group has targeted at least 200 multinational organisations in 46 countries, and counting. As well as its focus on high-value targets and sizeable payoffs, Cosmic Lynx is known for its complex dual impersonation tactic. 

The criminal collective seeks out organisations without DMARC authentication that are close to taking over or merging with another company. The lack of DMARC allows them to impersonate company executives with relative ease. 

But the grift doesn’t end there. Cosmic Lynx members also impersonate a legitimate attorney for added credibility. An email is then sent from the compromised executive’s account asking an employee with the relevant authority to liaise with the imposter attorney and process the payment for the deal. 

The average payment requested by the group is US$1.27 million, much higher than the amounts asked for by most BEC criminal gangs. 

How to brace for BEC

As the examples above show, BEC attacks come in many forms, perpetrated by both opportunistic individuals and well-organised criminal enterprises. But while it is crucial to keep up to speed with the current threat landscape, there are several effective solutions that can help to protect your organisation whatever the methods and motives of an attack. 

The first is robust email protection capable of analysing and filtering malicious message content before it lands in your inbox. DMARC is also a must. By authenticating legitimate domains, DMARC helps to prevent spoofed emails from reaching their intended target. 

Once in place, emails from your domains can only be sent from permitted and authenticated servers. Most importantly, DMARC acts as a deterrent, with many cybercriminals setting their sights on organisations that do not have this layer of protection. 

Complement these defences with deep insight into your VAPs – that’s your Very Attacked People. The more you know about the type and frequency of attacks faced by each user, the better you can tailor your defences, allocating tools wherever they are needed most. 

And the most vital of these tools is security awareness training. BEC is an attack on your people – it is they who respond to expedited requests, alter payment information and authorise wire transfers. So, they must know how to spot the signs of compromised email accounts and suspicious activity. 

Through ongoing and adaptive training, the aim is to build a culture where cybersecurity is everyone’s responsibility. When a single errant click can open the door to financial and reputational devastation, users must be in no doubt about the potential consequences of poor security hygiene. 

While none of these strategies alone is a match for the modern BEC attack, together they can equip your organisation with the best possible chance of staying off this sorry list. 

Browse our latest issue

Intelligent CIO APAC

View Magazine Archive