Between the second and third weeks of March 2020, email scams and phishing attacks spiked by an unprecedented 436%. Such was the effect of the COVID-19 pandemic. Meanwhile, business email compromise (BEC) attacks have been less affected by the pandemic, but have also increased and evolved.
BEC attacks represent a low percentage of email attacks by volume, but a disproportionally high percentage of overall loss to business. According to the 2019 FBI IC3 report, BEC was responsible for more than 50% of all cybercrime-related financial loss.
According to Abnormal Security’s Quarterly BEC Report Q1 2020 (PDF), there have been several major shifts in BEC attack patterns. The first is a move away from targeting individual C-Suite leaders towards targeting finance employees. The former has decreased by 37% between Q4 2019 and Q1 2020, while the latter has increased by 87% over the same period.
Linked to this has been a discernible shift away from individual targets towards attacks against groups of ten or more targets. “By targeting a group within an organization,” say the Abnormal researchers, “the attacker increases the likelihood of a response from one individual, creating legitimacy across the other targets.” Such attacks increased by 17%.
Another development has been a movement away from paycheck and engagement fraud towards invoice fraud. The former has declined by 50% since the previous quarter, while the latter has increased by more than 75%. The criminals are exploiting the generally high level of trust in the supply chain combined with less well-established communication channels, most usually conducted by email, between the companies.
Overall, BEC attacks per thousand mailboxes (a measure used to normalize figures for comparative purposes) increased by 28% from Q4 2019 to Q1 2020. However, despite warnings from other organizations, there is little evidence to suggest that criminals are using pandemic-related themes to fuel new BEC variants.
Similarly, there is yet no evidence of the predicted surge in the use of deepfake technology in BEC attacks. “Deepfakes certainly represent a looming tactic to socially engineered attacks such as BEC,” Ken Liao, Abnormal’s VP of cybersecurity strategy, told SecurityWeek. “However, deepfake voice or video may not be as effective as simple email. When the goal of a BEC attack is to change the bank routing number for a payment or paycheck, or deliver a fraudulent invoice, voice and video aren’t the ideal mechanisms in which to deliver this information.”
BEC attacks do not get the media coverage given to phishing/scam attacks, which are more widespread, frequent, and noisy. Statistically, they have been swamped by the huge surge in phishing attacks riding the fear and uncertainty of the pandemic. But they haven’t gone away, are still increasing, and continuously evolving, and continue to be a major threat to business. “By volume, BEC attacks represent a small percentage of the total number of email attacks in general. BEC attacks are targeted attempts, done after the targets have been identified and researched.” The cost to business remains disproportionately high.
San Francisco, California-based Abnormal Security was founded in 2018 by Evan Reiser (CEO), and Sanjay Jeyakumar (CTO). It emerged from stealth in November 2019 with a $24 million funding round led by Greylock Partners.
Related: Tax Phishing Campaign Reminds of DMARC Limitations
Related: Nigerian Threat Actors Specializing in BEC Attacks Continue to Evolve
Related: Healthcare, Government Organizations Targeted in BEC Attacks With COVID-19 Lures