How BEC attacks have adapted to the pandemic [Q&A]

Business Email Compromise (BEC) attacks are increasingly used by attackers as a way of targeting organizations. New research from Abnormal Security  indicates that these attacks have adapted to the pandemic, with Zoom becoming the most impersonated brand and COVID-themed attacks surging.

We spoke to Evan Reiser, CEO of Abnormal Security to find out more about what’s been happening and what trends we can expect to see as the year progresses.

BN: How are COVID-19-themed attacks evolving as the pandemic continues to play out?

ER: The pandemic induced the rapid acceleration of digital transformation trends that many once thought would take a decade to develop. While the threat landscape has shifted rapidly, with cybercriminals effectively adapting strategies and campaigns to target enterprises and their employees, organizations have not been able to respond as quickly with changes to their approach to email security.

Unsurprisingly, attackers were ready, willing and able to use the time of confusion to refine and improve strategies for compromising email accounts. Preying on fear, uncertainty and anxiety is a constant aspect of the social engineering equation for cyberattackers. It's why we saw such a remarkable spike in COVID-19-themed attacks as soon as the outbreak reached pandemic status.

The first wave in March largely consisted of attacks designed to harvest company email credentials or plant malware that would give attackers a foothold on corporate networks and take over accounts. At the same time, attackers better learned how to prey on COVID-19 uncertainty and anxiety in order to effectively work it into more sophisticated BEC attacks launched through those footholds.

COVID-19-themed attacks continued to increase week-over-week, finally peaking in the third and fourth weeks of April. On average, the weekly COVID-19 campaign volume increased 389 percent from Q1 to Q2, with a remarkably high volume of credential phishing attacks.

As the email threat landscape continues to evolve with the pandemic, it will be critical for enterprises to keep pace in the coming weeks and months.

BN: One of the takeaways from your most recent quarterly BEC report is that the pandemic has boosted invoice and payment fraud attacks. Why is that the case?

ER: Prior to the pandemic, we had already started to observe an increase in payment and invoice fraud as attackers focused on weak links in the supply chain. As the pandemic began to impact the economy, many companies had to adapt their supply chains and were forced to make changes to their vendors and partners. This provided a ripe opportunity for attackers to further focus on payment and invoice fraud using the pandemic as cover. We've really seen a perfect storm of factors fueling payment and invoice fraud BEC attacks during the past five months.

More specifically, our research team continuously examines several different types of BEC attacks -- from engagement to gift card and paycheck fraud -- and determined that while single recipient attacks decreased year over year, invoice and payment fraud attacks have been accelerating more than others. Between April-June, we saw payment and invoice fraud attacks increasing 112 percent over Q1, with a spike of more than 60 percent in the last week of June.

Invoice fraud attacks are largely driven by vendor fraud, where attackers compromise vendors, customers, or anyone involved in the supply chain, to leverage the 'trusted' relationship and request or re-direct payments. In these attacks, attackers hijack existing financial conversations to attempt to execute payment against fraudulent invoices or attempt to update a valid payment with fraudulent bank account details. Amidst COVID-19, businesses are relying on email for communication more than ever, creating a fruitful attack vector for scammers.

BN: What were the most unexpected findings from the email attacks you observed in the past 3-5 months?

ER: We constantly track brand impersonation, which is a very common form of fraud where a bad actor assumes the identity of a trusted or known entity. We saw a dramatic shift in the most impersonated brands between April and May where attackers leveraged the pandemic-influenced zeitgeist.

COVID-19 drove a big shift where Zoom replaced American Express at the top of the list, as scammers took advantage of its instant pandemic-fueled popularity and ubiquity to steal employee credentials and personal information. Example attacks include scammers asking recipients to join a Zoom meeting regarding their supposed termination and impersonating a Zoom notification in order to steal Microsoft account credentials.

Rounding out the top three were two other brands very much associated with COVID-19 shifts toward e-commerce and delivery: Amazon and DHL. Intuit and RingCentral followed closely behind within the top five. By way of comparison, the top three most impersonated brands in Q1 2020 were American Express, Amazon and iCloud.

BN: It seems counter-intuitive that attackers would target mid-level finance employees as opposed to the C-suite since the latter would lead to success more quickly. Why are attackers going after finance departments more?

ER: It comes down to effectiveness. While attackers found initial success targeting the C-suite, over time, the C-suite got smarter about these types of unusual requests, mainly because they don’t follow normal business processes. Attackers are now targeting mid-level employees who are less likely to question a request for a large invoice payment that supposedly comes from an executive or a vendor.

To better understand this, we started closely examining which employees were being targeted the most and identified a 37 percent decrease in attacks on the C-Suite year over year. Consequently, attacks on finance employees increased by 87 percent in the same period.

We saw this trend continue in Q2, with the average weekly BEC attacks against finance roles increasing by 50 percent. This continued trend can likely be attributed to the significant increase in invoice and payment fraud attacks, which do not typically target the C-Suite.

Finance employees may be lower in the organization, but they still have the ability to make large payments.

As part of this, we’re seeing more 'low and slow' attacks, where criminals impersonate the vendor by folding into the natural workflow. For example, we prevented a $700,000 invoice fraud attack earlier this year through which a threat actor targeted a telecommunications company by impersonating a vendor. The vendor was a real company, but the attacker used domain impersonation to spoof the vendor. Over the course of two months, the attacker convinced the telecommunications company to change banking details and redirect the payment of a legitimate invoice to the attacker’s account.

The initial outreach from the actor makes a very low risk and inconsequential request by simply asking for an EFT/ACH transfer form. However, once the initial engagement has occurred, an email chain is established and subsequent interactions with other employees are met with less and less suspicion as the engagement continues to deepen.

To add greater credibility to the initial email for engagement, the actor included five additional impersonated employees from the impersonated vendor, presumably accounts receivable or other general and administrative employees.

BN: What do you think will happen to BEC attack trends and patterns for the rest of this year?

ER: As we look out through the end of the year, we'll continue to see attackers ready to exploit today's BEC vulnerabilities. Based on current macroeconomic and geopolitical trends, we expect the following trends to play out:

• Upcoming US elections will put a target on state and local election administrators, candidates campaign budgets as well as confidential data.
• Supply chain attacks targeting finance departments with invoice fraud will continue to increase as a security threat to organizations.
• Work from home will continue through Q3 and as a result collaboration technologies like Zoom will continue to be one of the most impersonated brands.
• BEC in general will continue to rise as attackers persistently find success with socially engineered techniques that evade traditional email security defenses.
• COVID-19 related attacks will continue to trend downward with credential phishing accounting for a significant percentage of these attacks.

Image Credit: Balefire/Shutterstock