With cyber criminals continually evolving their tactics, traditional email defence methods are increasingly falling short, which is leaving security teams and businesses at a disadvantage and contributing to the rise of Business Email Compromise (BEC), according to Secureworks.
In BEC attacks, a threat actor usually compromises a corporate email account and uses that account to send fraudulent emails.
According to the Secureworks Incident Response report, the number of incidents involving business email compromise (BEC) doubled between January and December 2022, replacing ransomware as the most common financially motivated cyber threat to organisations.
Alex Tilley, Head of Threat Intelligence, Asia Pacific and Japan for Secureworks, says cyber criminals are always looking for opportunities to trick employees in organisations via realistic looking but bogus emails.
Tilley says, "We're continuing to see high-profile cases of post-intrusion ransomware, which can be extremely disruptive and damaging to an organisation. Business email compromise is becoming increasingly a cyber criminals tactic of choice because it requires little to no technical skill but it can be extremely lucrative."
The Secureworks report points out that BEC attacks exploit employees who are involved in routine financial transactions, manipulating their trust to transfer large sums of money through existing processes.
By bypassing payment infrastructure, cyber criminals avoid many of the controls that businesses rely on to protect against email-based attacks.
No two BEC attacks are identical; threat actors continuously refine their techniques to maximise financial gain with minimal effort. Secureworks incident responders have identified a typical pattern in BEC attacks:
- Compromising email accounts: Threat actors gain unauthorised access to email accounts using credential-harvesting pages, reused credentials from third-party breaches, brute-forcing single-factor email portals, or exploiting known vulnerabilities on internet-facing mail servers.
- Conducting reconnaissance: Once inside the email accounts, threat actors monitor email communications to understand business terminology, identify purchased services, and locate invoice templates that can be modified.
- Deception: The threat actors identify new or ongoing email threads. Legitimate employees are removed from the conversation to avoid detection and fraudulent requests for payment changes are made.
- Tricking employees: Employees from other organisations interpret the fraudulent requests as legitimate replies and comply with the instructions, leading to payments being redirected to attacker-controlled accounts.
Tilley says that while certain security controls can detect email account compromise during the initial stages of the attack, maintaining detection throughout the attack chain becomes increasingly challenging as threat actors pivot to attacker-controlled infrastructure.
To mitigate the risk of BEC attacks Tilley says adopting proactive security defences, such as modern phishing resistant Multi-Factor Authentication (MFA) and conditional access, could help provide employees with better protection.
"Employees play a crucial role as the final line of defence against BEC attacks. Educating employees to recognise warning signs and adopt a 'trust but verify' approach to email communication can raise suspicion and prevent successful attacks."
He adds that businesses have taken various protective measures, such as adopting sophisticated email security systems and providing extensive training to employees, to prioritise safeguarding against cyber threats. Nevertheless, the emergence of BEC renders many detection mechanisms ineffectual, placing security teams at a disadvantage and exposing businesses to risks.
To optimise security posture, Secureworks advises organisations to have comprehensive visibility and intelligence-driven detection across host, network, and cloud environments. Implementing centralised log retention and analysis across various resources, along with reputation-based web filtering and network detection for suspicious domains and IPs, can bolster defences against emerging threats.