The evolution of business email compromise to business communication compromise

Malicious email

Business Email Compromise (BEC) attacks are no longer limited to traditional email accounts. Attackers are finding new ways to conduct their schemes -- and organizations need to be prepared to defend themselves.

Attackers are leveraging a new scheme called Business Communication Compromise to take advantage of large global corporations, government agencies and individuals. They are leveraging collaboration tools beyond email that include: chat and mobile messaging -- including popular cloud-based applications such as Slack, WhatsApp, LinkedIn, Facebook, Twitter and many more -- to carry out attacks.

Clearly, BEC is evolving into "business communication compromise" instead of strictly being based on email. This scheme targets multiple industries, especially in highly regulated sectors such as healthcare, life sciences and financial services. BCC-related attacks are now among the core techniques cyber criminals use to target an enterprise’s proprietary data and gain a foothold in protected environments.

Welcome to BCC

BEC attackers have broadened their horizons beyond traditional email accounts. With the rapid growth of the cloud workspace and accelerating use of multiple communications channels, attackers are conducting their attacks through new mediums.

Attackers can now take advantage of the many collaboration tools, chat, mobile messaging and social media sites. And these new targets are in addition to popular business email platforms such as Microsoft 365. This is giving rise to tremendous growth in attacks that cross common business channels.

Many organizations have large numbers of workers dealing with sensitive

information, and many deployments of Microsoft 365 include software licenses that provide additional security and compliance capabilities.

The security features in these licenses give security operations center teams automated tools that provide advanced threat protection for their users. But they don’t detect language-based risks or secure the non-Microsoft channels that companies might be using in their everyday operations.

For example, a help desk might receive an email that looks like it’s coming from the company’s CEO. The email isn’t coming from the CEO, however, but from a bad actor masquerading as the executive. In this case, the “CEO” is purported to be on vacation and somehow locked out of company systems.

The email to the help desk is asking for a reset of the CEO’s access to enterprise systems, and that the credentials be provided through WhatsApp. The help desk complies, and now access credentials have been transferred from a protected Microsoft 365 email account to something that's unprotected by most enterprises -- WhatsApp. From there, bad actors can share, sell or use credentials to commit an account takeover.

Research Shows

Industry research has shown that many organizations that experienced a security incident reported that Business Email based attacks accounted for more than half of the incidents.

The FBI has reported that as of December 2021 there had been a total of more than 241,000 domestic and international Business Email Compromise based incidents that resulted in exposed dollar losses of more than $43.3 billion. And in a February 2022 alert the bureau noted that criminals are using virtual meeting platforms to conduct BEC scams in multiple ways.

2022 continued to demonstrate that hackers are using multiple communications channels to carry out attacks via apps such as WhatsApp, Telegram and Slack.

Real world examples of this include: Lapsus$’s theft of source code, the Take Two  breach, and the robbery of half a billion dollars from Axie Infinity. It wasn’t zero days or custom exploits. So many headline breaches this year came down to sophisticated social engineering attacks.

Attackers target organizations and individuals with social engineering attempts and phishing scams to break into user accounts, then conduct unauthorized transfers of funds or trick other users into handing over their personal information.

We Need Stronger Defenses

Because these types of attacks can elude many protection tools, organizations need a platform that is capable of ingesting information from a variety of channels such as collaboration, chat, conferencing, social media, email and mobile chat.

Such a solution needs to be capable of understanding the context and the intent of communications across various channels -- via natural language understanding ro NLU that can detect sophisticated attack campaigns -- and help security analysts determine if a threat exists within their environment.

In addition to technology solutions, organizations need to step up their security awareness training to ensure that employees know they are potential targets and educate personnel on how to recognize a possible BCC attack.

They also should avoid posting detailed personal information on social media sites that can play into the hands of bad actors looking to personalize their social engineering scams. In addition, companies need to remove from their Web sites job descriptions, organizational charts and other details that cyber criminals could use to facilitate targeted phishing scams.

These are just a few of the steps security teams at organizations can take to defend against the latest BCC schemes or mitigate the consequences of such attacks. The main point is they need to do something -- and soon. BCC attacks continue to be popular among cyber criminals.

By taking the right measures, organizations can stay ahead of the bad actors looking to take advantage of communication weaknesses. By doing so they can better protect their own data as well as information owned by their business partners.

Photo Credit: Balefire/Shutterstock

Chris Lehman is CEO, SafeGuard Cyber. Chris is a seasoned senior executive with more than 20 years of experience working for some of the highest growth and most successful technology companies in the world. 

Comments are closed.

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.