BEC tactics advancing
Business email compromise (BEC) remains a potentially lucrative attack methodology for cybercriminals, who continue to refine their techniques.
In a typical BEC scam, an attacker sends an individual a message that appears to be from a known contact. This could be a coworker, a senior company leader, or an important vendor or supplier.
An attacker might send an email that uses a similar domain name — for example, ending in .co instead of .com. Attackers can also:
"Hijack" email accounts
through password theft or other means, giving them the ability to send truly authentic emails to scam targets.
Impersonate users
on internal messaging apps frequently used by companies, such as Slack and Teams.
Impersonate vendors
and executives in voicemails.
A message sent by an attacker will include what appears to be a legitimate request — for example, to make a payment to a vendor’s new bank account or a link to review a draft report written by a coworker. Scammers are counting on targets not reading emails and other messages in detail or verifying new details before making payments or clicking on links.
The result could be thousands or even millions of dollars unknowingly transferred to cybercriminals or malware being installed on corporate systems, through which attackers can gain access to PII, PHI, passwords, and more.
In July 2024, for example, a hacker obtained credentials to gain access to a Disney employee’s Slack account, and proceeded to steal 1.1 terabytes of corporate data. Meanwhile, in August 2024, chemical manufacturer Orion reported to the Securities and Exchange Commission that an employee was manipulated into wiring $60 million to a third party in a BEC scheme.
As with ransomware, attackers are exploring new BEC tactics and delivery methods. In addition to looking to compromise supply chains such as in the example above, attackers are increasingly:
Impersonating vendors and executives using deepfakes.
Widely accessible AI tools can allow attackers to create hyper-realistic video and audio clips through which they can compel targets to make fraudulent payments or share sensitive information. In one such scheme reported by the Hong Kong police in February 2024, cybercriminals used a deepfake to pose as a multinational company’s CFO in a video conference call and induce a finance employee into making a $25 million fraudulent payment.
Using QR codes in phishing attacks, also known as “quishing.”
Attackers are using seemingly authentic and safe QR codes to trick targets into downloading malware or visiting fraudulent websites, through which attackers can obtain PII, PHI, passwords, and other sensitive information.
