Is business email compromise (BEC) a greater threat than ransomware to businesses today?

While ransomware may still be considered by CIOs and cybersecurity professionals as the most prevalent form of cyber-attack, it may be worth noting that business email compromise (BEC) is gaining far more popularity among the cybercriminal fraternity.

Ransomware attacks around the globe may have increased significantly, but Palo Alto’s latest report seemed to indicate that only 9% of these attacks were directed towards Asia. On the other hand, email security specialist Mimecast has reported that 84% if the organizations in Singapore have suffered at least one email-based attack in the past year.

Could BEC be a greater threat than ransomware to businesses today? CybersecAsia gets some answers from Ian Lim, Field Chief Security Officer, Asia Pacific, Palo Alto Networks:

Ian Lim, Field Chief Security Officer, Asia Pacific, Palo Alto Networks

What are the reasons behind the increase in BEC attacks, especially in Asia Pacific?

Lim: BEC attacks have been rising in popularity owing to the ease of orchestration, lucrative monetary benefits and their comparatively lower risk quotient. Most BEC actors target SMEs, as they make for a plentiful, easy, and diverse “hunting ground”.

BEC attacks can serve a hefty monetary reward, going up to an average of US$96,000 per victim. SMEs make up 80 to 90% of businesses within countries in the APAC region and employ a large workforce. However, they do not have the financial resources to build better infrastructure or invest in quality cybersecurity software and resilient defense systems, making them soft targets for BEC attacks.

Singapore’s status quo as an economic powerhouse in the APAC region, the high value and volume of monetary transactions, along with the increasing trend of M&As, also act as catalysts fueling the surge of BEC attacks in the region.

Who are leading these attacks? How are they carrying out these organized attacks?

Lim: While the most notorious and aggressive ransomware gangs are typically small teams, BEC actors are usually organized into much looser and more decentralized collectives, making it more difficult for law enforcement to target a central organization or kingpin.

However, in more recent times, these attacks are led by syndicates that have grown increasingly sophisticated and organized. They function like a corporation – one actor is usually the leader, teaching his craft, supporting and funding attacks of junior actors. The attacks are generally carried out by impersonating the domain names of organizations of high repute – such as governments, financial institutions, and more.

In May this year, Palo Alto Networks’ Unit 42 partnered with Interpol, named ‘Operation Delilah’, to arrest a SilverTerrier threat actor from Nigeria. He had over 240 domains registered using his aliases, including which more than 50 were used to provide command and control malware. He is well-connected with other BEC actors, sharing social media connections with actors who were arrested in Operation Falcon II in 2021 – which Unit 42 assisted in another partnership with Interpol.

The reality is that they are not isolated to these locations. Cell phone data from heads of Business Units in Nigeria suggests that they are well-connected, communicating with heads of criminal enterprises in Russia and North Korea.

Lim: What is the revenue opportunity for cybercriminals? How huge a target and contribution is the Asia Pacific region?

BEC remains one of the most common and costly threats facing organizations globally. This threat held the top spot for the sixth year on the 2021 FBI Internet Crime Complaint Center (IC3) report. Over half a decade, global losses have ballooned from $360 million in 2016 to a staggering $2.3 billion in 2021.

Cybercriminals who engage in BEC attacks can earn lucrative revenues, going up to an average of $96,000 per victim. Due to COVID-19, organizations worldwide are rapidly digitalizing their business, and for individuals, transitioning to remote and hybrid work is the new norm. While the world is in this digital transition, cybercriminals will capitalize on potential loopholes, and their revenue is poised to grow exponentially.

What do organizations stand to lose in the event of a BEC?

Lim: Palo Alto Networks’ Unit 42 Ransomware Threat Report 2021 found that the average ransomware demand for organizations was $847,344 in 2020. In the first half of 2021, the average ransom paid climbed 82% to $570,000. These are only direct monetary losses in paid ransoms by organizations.

Compared to ransomware, when you think of BEC, most people think of it as a less severe scam based on emails received from individuals in Nigeria who they do not have a true business impact. But we see that it has the most significant financial impact on businesses.

During an attack, organizations lose revenue while operating in a degraded state. Not only are they operating while having lost data, they may also have weakened network defenses, reduced financials, and even suffer reputational damage if they are institutions or organizations of high repute.

What are the common forms of BEC? How can employees spot a malicious email?

Lim: BECs are constantly evolving and changing, making the types and forms of BEC attacks hard to track. One recent form of a BEC attack utilizes a combination of spear phishing, custom webpages and a complex cloud single sign-on ecosystem. Users are tricked into revealing their credentials through web pages that are close imitations of legitimate login screens, such as Office 365 and Outlook. There would also be misleading alerts that prompt them into revealing their credentials, such as ‘Because you’re accessing sensitive info, you need to verify your password.’

Employees in sales, finance, human resources, logistics, and general office operations teams should be cautious when opening emails for actionable items. More so if they are about remittances, invoices, outstanding payments, requests for quotes (RFQ), purchase confirmation, shipment status, voice mails or fax delivery via email, etc. Criminals would integrate specific information within the email to increase its legitimacy. They should look for suspicious-looking subject headers such as ‘OneDrive Document to {username}’.

How can enterprises leverage the latest technologies to prevent such emails from entering the work stream?

Lim: Enterprises need to adopt a ‘zero trust’ mindset and use technologies that continuously validate the legitimacy of digital interactions. A good place to start is to enforce MFA to ensure that email accounts are not taken over and used as a launch pad for BEC activities. Next generation phishing prevention systems should also be implemented to reduce the likelihood of users getting phishing emails.

Besides using the latest technologies, organizations should routinely educate employees on cyber threat awareness and the evolving tactics and social engineering used, particularly in BEC attacks. Such training should also be tailored to their sales and finance teams to better identify a malicious or suspicious email. These training sessions should require all wire transfer requests to be validated using verified and established contact points for suppliers, vendors, and partners.

Lastly, compromise assessments should be done annually to test organizational controls and validate that there is no unauthorized activity occurring within the environment. By reviewing mailbox rules and user login patterns regularly, these assessments can verify that controls are functioning as expected and that unwanted behaviors are being effectively blocked throughout the environment.