One year ago, when COVID-19 first started to make news headlines, no one thought that it would grip the world the way it has, especially here in the United States. We have seen things dramatically change over the past year. For example, the idea of a remote workforce, which was once thought to be unrealistic, has become a reality. There has also been an alarming increase in the frequency and sophistication of cyberattacks. This is especially true for those organizations tasked with manufacturing, shipping, and administering COVID-19 care and vaccines.
In this series, we are looking at the increased cyberattacks against individuals and entities working to fight the COVID-19 pandemic. One of these threat variants is that of the Business Email Compromise, also known as BEC.
What Exactly Is BEC?
A BEC can occur in several ways. The most common attack is a phishing email, where criminals attempt to gain access to your accounts or personal information by creating a fake email or website designed to replicate the real site. In doing so, the attackers attempt to “phish” personal information such as your credit card numbers, passwords, social security numbers, and more.
We will address social engineering in a future blog, a user can also receive phone calls, or even text messages luring the victim to give out confidential information.
There are two victims that are primarily targeted:
- A member of the C-Suite (such as the CFO)
- An employee that reports to directly to them and has access to sensitive information (such as an administrative assistant)
While BEC attacks can be deemed as being focused and specialized, they also use a wider scope of threat vectors, in combination with another, such as that of social engineering, robocalls, smishing (sending out fake text messages) and phishing.
The Types of BEC Attacks
There are five types of BEC attacks:
- The Fake Invoice Scheme: This is often used when there is an external, third party involved. Although this threat vector has been used heavily by suppliers that are abroad, it has also been commonly used here in the United States as well. In this scenario, an authentic-looking invoice is sent to the Accounting department, requesting that money be paid immediately (usually via ACH or wire transfer). Of course, this is usually an offshore account set up by the bad actor.
- The CEO Fraud: This is where a member of the C-Suite and their administrative assistant are typically targeted. In this kind of situation, the latter receives a phishing-based email requesting that a large amount of money be sent over to a supplier (or any other affiliated agent), and that money be sent immediately. In the message of the Email, there is usually a sense of severe urgency that is involved, using scare tactics to put extra and undue pressure on the administrative assistant to send out the funds.
- The Account Compromise: This type of attack targets email addresses associated with a user’s account. In this case, any employee or even multiple employees are targeted, as a way for the bad actor to infiltrate the network quickly and easily, then move in a lateral fashion covertly. This allows the bad actor to gain access to almost anything and remain unnoticed for extended periods of time. This kind of threat vector can also be used to further leverage CEO fraud phishing attacks as just described.
- Impersonating the Legal Team: This falls more into the realm of social engineering. For example, nothing persuades an employee to share confidential information and data quickly than the threat of legal action. This kind of attack can take place in many variants, other than just email. Examples of this include the following:
- Threatening phone calls
- Text messages
- Letters (snail mail)
An employee can fall prey to this and depending upon the department they work in, share sensitive information.
5. The Theft of Data: Another favored area for the BEC attacker is that of the Accounting and Human Resources (HR). Using any or even all the methods just examined, the employees of these departments can be easily duped into giving out the confidential information and data of customers, employees, and even external suppliers. Most of the time in these kinds of scenarios, it is the Personal Identifiable Information (PII) datasets that are targeted so that they can be used to launch subsequent Identity Theft attacks.
Our next blog will examine another cyber threat in the pandemic: ransomware. All business entities and individuals are at risk for ransomware attacks.
If you don’t feel like your organization is where it needs to be from a security standpoint, then it’s time for a serious conversation. The Logically team is available to answer any questions you may have.