Ever-growing in sophistication and democratization, business email compromise attacks are increasing in volume and require constant worker vigilance and awareness

With more workers working from home (WFH), emails are now one of the main modes of work communication in South-east Asia (SEA). With much critical data being sent via this means, it is expected for cybercriminals to see it as an effective and lucrative entry point.

Last year, Kaspersky detected and intercepted 253,365,212 phishing links globally (11m in SEA): in total, 8.2% of the firm’s customers in different countries and regions around the world have faced at least one phishing attack during 2021.

Due to the physical distancing, remote-workers have also become targets of a subset of phishing: the business e-mail compromise (BEC) tactic, defined as a targeted cybercriminal campaign that works by: 

  • initiating an e-mail exchange with a company employee, or taking over an existing one
  • gaining the employee’s trust
  • encouraging actions that are detrimental to the interests of the company or its clients

The FBI has reported that BEC attacks between 2014 and 2019 had cost US businesses more than US$2bn. In Q4 2021 alone, Kaspersky had registered over 8,000 BEC attacks, with the greatest number (5,037) occurring in October. Through close analysis of the way fraudsters crafted and spread fake emails, the firm has noticed that such attacks tend to fall into two categories:

  1. ‘Large-scale’ or BEC-as-a-Service attacks, characterized by simplified mechanics to reach as many victims as possible. Attackers send streamlined messages en masse from free mail accounts, with the hope of snaring as many victims as possible.

    Such messages often lack high levels of sophistication, but they are efficient. Typically, an employee receives a fake email from a more senior colleague. The message is always vague, involving some vague urgent request that needs handling. A victim may be asked to pay off some contract, settle some financial conflict, or share sensitive information with a third party. Any employee may potentially become a victim.

  2. ‘Highly targeted’ BEC attacks where an intermediary mailbox is first attacked to gain access to an employee’s e-mail address. Then, once scammers find a suitable correspondence in the compromised mailbox of the intermediary company (say, financial matters or technical issues related to work), they continue the correspondence with the targeted company, impersonating the intermediary company.

    Often, the goal is to persuade the victim to transfer money or install malware. Since the targets are, in fact, engaging in the conversation referenced by the attackers, they are far more likely to fall victim to the scam. Such attacks have proven to be highly effective.

According to a security expert at the firm, Roman Dedenok: “While fewer people tend to fall for simple mass-scale BEC emails now, fraudsters have started to carefully harvest data about their victims and using it to build trust. Some of these attacks are possible because cybercriminals can easily find names and job positions of employees as well as lists of contacts in open access. That is why we encourage users to be careful at work.”

Example of a targeted BEC attack