BEC Attacks in 2023: What Organizations Need to Know

Business Email Compromise (BEC) attacks have emerged as some of the most financially impactful cyberattacks in recent years. They’ve become such significant impactful attacks, largely because they rely on exploiting human vulnerabilities and bypass traditional security measures, leading to substantial financial losses for organizations. In 2022 alone, BEC attacks led to $2.7B in losses, according to the FBI. Given that BEC attacks increased 81% in 2022, it’s clear that organizations need to be ready to face this threat.

Among the industries most commonly targeted by BEC attacks, the finance sector and the logistics and fulfillment industry have been hit hardest, with the FBI warning that BEC attacks are now targeting food shipments. Given the financial incentives, BEC attacks don’t seem like they’re relenting and attackers are finding new ways to ensure success.

In this article, we will delve into the evolution of BEC attacks and provide essential information that organizations need to be aware of in order to protect themselves from this growing threat.

How BEC Attacks are evolving

Business Email Compromise (BEC) attacks, also known as CEO fraud or man-in-the-email attacks, are sophisticated scams aimed at companies who conduct wire transfers. These attacks often involve a cybercriminal impersonating a high-ranking executive or a trusted partner to trick employees into transferring funds or sensitive information such as bank account details. The techniques used in BEC attacks vary, but they often rely heavily on social engineering and exploit human vulnerabilities, including trust and authority.

While it may seem that email-based attacks are falling out of fashion, they’re not. We found that 25% of executives from our 2023 Cybersecurity Assessment report wish they could bust the security myth that “an email that comes into the corporate system is always safe to open and click on.” Clearly, education is still required.

At their core, BEC attacks are an advanced form of phishing. Cybercriminals launch massive phishing campaigns, sending out fraudulent emails to a large number of potential victims. With the aid of artificial intelligence tools, these campaigns are becoming increasingly sophisticated. The release of AI-powered chatbots like ChatGPT are being used to generate believable email content that doesn't have many of the common tells like strange language or poor grammar.

Another emerging trend in BEC attacks is the use of deepfakes – AI-generated videos, images, or voices that are similar to the real person they are impersonating. By using deepfake technology, attackers can mimic the voice of a CEO or other top executive in a meeting, adding an extra layer of credibility to these attacks. The FBI has already issued a warning on how these scammers are using deepfakes in virtual meetings as part of BEC attacks

This is not a hypothetical. In 2019, a UK-based energy firm lost $243,000 when the CEO was tricked into transferring funds by a fraudster who used deepfake technology to mimic the voice of the company’s chief executive. As BEC attacks continue to evolve, it is crucial for organizations to stay informed about these trends and invest in advanced security measures to defend against this growing threat.

How recent events in the banking industry may lead to more BEC attacks

The finance industry has been rattled by recent events. Silicon Valley Bank as well as Signature Bank have gone under and First Republic Bank needed to be rescued by JP Morgan to avoid a similar fate. This has created a very tense environment and has pulled focus and diverted resources away from cybersecurity, which may lead to unnecessary risk for smaller and local banks who are likely to be most impacted by a cyber compromise.

Scammers are making things worse, taking advantage of the uncertainty and deploying various phishing and BEC attacks. Scammers have already bought domains tied to SVB and Signature in hopes of trying to steal financial information while other, more nefarious hackers, have reached out to the customers of the affected banks or customers of SVB's clients, impersonating the organization and asking for bank account details.

While the largest banks can withstand the reputational and financial impact of these kinds of attacks, smaller banks are likely to face much worse consequences if they’re hit with BEC attacks. Not only will they lose funds to the attack, they may be at risk of depositors withdrawing their funds because of the reputational impact associated with a cyber attack. This may exacerbate the problems that led to the failure of SVB and Signature Bank.

How organizations can defend themselves

Building a strong security culture and awareness is pivotal in the fight against BEC attacks. Due to the nature of these attacks, employees often represent both the first and the last line of defense. Even with robust security measures in place, a single lapse in judgment by an unconcerned or negligent employee can lead to a successful attack.

One crucial step is to cultivate a high level of vigilance among employees. Regular, ongoing security training can help them spot the telltale signs of BEC attacks, such as requests for unusual wire transfers or urgent demands that bypass normal procedures. Simulated phishing exercises can also be useful in reinforcing this training, giving employees practical experience in identifying and responding to attempted attacks.

It’s also important to know that one-time security awareness training isn’t enough, especially since we’re seeing these attacks evolve and change in tactics. Having ongoing security training can ensure your employees are aware of these new attack methods before they see them in the wild. However, not all employees may be so receptive so make sure you’re building a security culture across the entire organization that will embrace your efforts.

Many organizations have also found it helpful to implement technical tools and solutions from vendors that automatically flag or indicate emails from external sources. These options can help protect against email-based attacks and include:

Email security solutions: These tools can scan incoming emails for signs of phishing or BEC attacks, such as suspicious attachments, URLs, or may just flag any external sender, just to be sure.

Domain monitoring: By keeping an eye on domain registration activity, these services can alert you if someone registers a domain that closely resembles your own—a common tactic in BEC attacks.

Network security tools: These tools can help detect unusual activity within your network, potentially identifying a BEC attack in progress.

Investing in these tools and strategies can significantly bolster your organization's defenses against BEC attacks. However, it's important to remember that no single measure is foolproof. A multi-layered approach that combines technical defenses with strong security awareness is often the most effective way to protect against these sophisticated attacks.