Harpooning the Whale: Why BEC is the Scourge of the Time-Poor C-Suite

Business email compromise has the silver medal for highest-grossing cyber crime type, according to the FBI. Phil Muncaster takes a look at why it’s reigning supreme and how senior execs can evade being caught out

Business email compromise (BEC) doesn’t sound particularly dramatic or devastating. It’s not even a particularly accurate moniker, given that some attacks are being launched via channels other than email. Benign appearance aside, it should be on the radar of any senior executive at virtually any organisation. Why? Until recently, it was the highest-grossing cyber crime type recorded by the FBI for several years.

Although BEC was knocked off the top spot last year by investment fraud, it still cost victims over $2.7bn (£2.2bn) in 2022, and that’s just the attacks we know about. Senior leaders need to understand they are in the crosshairs and that mitigating this persistent cybersecurity risk will require a blend of people, processes and technology.

How BEC works

BEC attacks usually have one thing in common: they try to trick the recipient into transferring money to a bank account controlled by the attacker. They do this via impersonation techniques. It could be an email to a finance team member impersonating a CEO or senior executive. Or it could be an email sent to an executive spoofed to appear as if written by their boss, a trusted supplier, or a business partner.

“Attackers exploit [senior execs] by crafting urgent and time-sensitive requests that executives may be more inclined to act upon without thorough verification” Jelle Wieringa

This is a social engineering technique known as pretexting, often combined with other common tactics, such as creating a sense of urgency for the sender to reply. According to Verizon, thanks to BEC, pretexting is now a more popular form of social engineering than phishing, with incidents doubling over the past year.

It’s not just social engineering tactics that fraudsters have mastered. They often hijack email accounts within the targeted organisation or a supplier to monitor emails, understand business processes and copy invoice templates. They might spend weeks researching who to target, scouring publicly available corporate information, including LinkedIn profiles, for intelligence on possible victims.

BEC continues to make outstanding returns for seasoned email scammers. Despite dropping into second place in terms of overall losses on the FBI’s list last year, it has a higher ROI than investment fraud: $125,611 (£101k) per attack versus $108,478 (£88k). BEC still accounted for over a quarter (27%) of all losses recorded by the Feds. And for that very good reason, attacks keep on coming.

Abnormal Security recorded a 55% increase in BEC attacks between the second half of 2022 and the first six months of 2023. Large organisations are particularly at risk: there is a greater than 90% chance of receiving at least one BEC attack each week for those running more than 5,000 mailboxes. One insurer released an analysis of its claims data at the end of 2022, revealing that fraudulent fund transfers were the top claims category, comprising over a quarter (28%) of the total and exceeding even ransomware.

Trouble at the top

KnowBe4 security awareness advocate Jelle Wieringa says the C-suite is particularly vulnerable to BEC.

“Executives typically have higher levels of authority and control over financial transactions within an organisation. They’re also typically busy individuals who have numerous responsibilities and time constraints. Attackers exploit this by crafting urgent and time-sensitive requests that executives may be more inclined to act upon without thorough verification,” he tells Assured Intelligence.

“Executives hold positions of authority and are accustomed to receiving requests from employees, partners, and customers. And they are often involved in high-value financial transactions, such as authorising large wire transfers or approving significant purchases.”

They may also be less inclined to play by the rules. A recent global study found that many execs seek workarounds and executive exceptions, which can expose their organisation to risk, including sharing passwords and devices with users outside the company and even accessing unauthorised work documents.

What’s new with BEC?

Yet even if execs play by the rules, scammers constantly evolve tactics to achieve their objectives. One report claims they increasingly use mobile numbers obtained via data breaches, social media and data brokers, and messaging recipients with wire transfer requests. In another example of continued threat actor innovation, Abnormal Security observed an attempt to trick an insurance company into wiring $36m. The scammers impersonated the sending domain and spoofed a second firm, a long-time partner organisation, and CC’d the spoofed domain to add more legitimacy to the request.

For Forrester principal analyst Jess Burn, the use of alternatives to email is becoming more popular.

“Right now, we’re starting to see different communication channels enter the mix when it comes to BEC and phishing,” Burn tells Assured Intelligence. “The use of Teams, for example, to impersonate IT or Help Desk team members to harvest credentials, and the use of voicemail and email in combination to add legitimacy to social engineering efforts that often lead to BEC.”

That use of Generative AI (GenAI)-created voicemail is the latest iteration of a trend first witnessed several years ago: the use of deepfake technology to impersonate the C-suite. In one infamous 2019 case, scammers tricked one CEO into wiring them over $240,000 (£194k) at the behest of his ‘German boss’. The FBI has also warned of deepfake audio being used by scammers in combination with video calls, where the video is deliberately ‘frozen’ so attendees can only hear the faked voice.

Unfortunately, the technology is becoming increasingly cheap and accessible to threat actors, and according to research, humans are fooled 27% of the time. Those are pretty good odds for the bad guys. The concern is they’ll also progress to video deepfakes, trained on plentiful video footage of executives in the public domain and enabled by GenAI. The chief communications officer of a leading cryptocurrency firm has already warned of scams sophisticated enough to fool “several highly intelligent crypto community members.”

Keeping the top brass safe

Successful BEC attacks involving senior executives appear to have been few and far between over the past few years. But that may be because they are kept from the public eye. As no data is typically disclosed in such attacks, there’s no obvious need to notify regulators. However, cases do exist. Consider the corporate controller at commodities, who wired $17m (£14m) to a bank account in China, thinking the instructions had come from his CEO. He is no longer with the company. Or the CEO of film company Pathé’s Dutch business was sacked after transferring €19m (£16.6m) to fraudsters posing as his boss.

So, how can organisations mitigate the risk of BEC in general and the ‘whaling’ of senior executives more specifically? The challenge from a technical perspective is that BEC traditionally features no malware to scan for. However, firms can still check for risky or spoofed domains or even use AI tools to spot language that might deviate from the norm. Doing so will help filter the volume of emails that end up in front of employees, says Burn.

“We’re starting to see different communication channels enter the mix when it comes to BEC and phishing” Jess Burn

“To combat social engineering, security leaders should implement protocols like DMARC to reduce the likelihood of employee interaction with social engineering messages by reducing domain spoofing,” she explains.

Deepfake detection tools are also emerging, says KnowBe4’s Wieringa.

“While this technology is still in its early days, with many drawbacks such as being non-real-time, costly and inaccurate, it is something that I expect organisations to adopt in time to prevent GenAI-driven or augmented attacks,” he argues.

However, bad actors will always find a way around technology, which makes end-user training particularly important, Wieringa adds. Executive-specific programmes could be one way to neutralise the threat to the C-suite, combined with updated policy and process.

“Focus on the outcome of positively influencing employee behaviour and instilling a security culture that makes employees feel empowered to ask questions – even if they report false positives,” concludes Forrester’s Burn.

“Organisations must also put processes in place to ensure one employee is not the single point of failure when it comes to BEC and resulting financial fraud. Several approvals should be needed for any change to the destination of a wire transfer or invoice payment.”

If BEC isn’t on the radar yet, it should be. Seasoned whalers are sharpening their harpoons as we speak.