Business Email Compromise (BEC) is not a new term. BEC scams have been growing in popularity for some time now. If you’re not familiar with BEC, it’s when a fraudulent email is sent to a company or individual, and the email appears to be from a legitimate business resource or person, often varying from the legitimate email address by just a letter or two. There may be instructions within the scam email for the recipient to transfer money, purchase gift cards, click on a malicious link, or perform some other activity at the behest of the sender. Unfortunately, BEC scams often put the recipient at a disadvantage because they see the name or title of the sender and react quickly, or are hesitant to question authority.
So, what’s the secret sauce that cybercriminals use across the board when launching their attacks on unsuspecting victims? According to a recent report from Barracuda, it’s surprisingly simple and straightforward: legitimate email accounts.
Let’s elaborate on that. Barracuda found that hackers launched 100,000 BEC attacks on over 6,000 organizations by using 6,170 legitimate email accounts (which of course, were created with malicious intent). We’re talking Gmail, AOL, and other verified email services.
The report further outlines the details of the attacks, identifying that 45% of the BEC attacks since April of 2020 were carried out with these email accounts. It appears that Gmail is the platform of choice with 59% of the accounts originating there. This may be a result of the cost to create an account (it is free), the ease of registration of a new account, and the solid reputation that a company like Google carries – meaning it is much more likely to pass through security filters.
Change in Identity
While the email account will remain the same, the sender name does get updated from time to time by the cybercriminal in order to go unnoticed by the recipient. These accounts are not often used for more than a 24-hour period and then will go dormant for a while to lessen suspicion or if it has been flagged already, to reduce the likelihood of being detected by another server. That doesn’t mean it goes away forever. Like your MySpace account, it stays out there in cyberspace waiting to be revisited.
Again, BEC scams are not new and they are just a small ‘subdivision’ of the much bigger issue of phishing – the single most used point of entry to a company in order to breach the data contained within the business infrastructure. And with the cost being minimal (basically it is free to do) and return on investment being potentially huge, the risk far outweighs the benefits.
Ongoing training is one of the best ways to arm employees and clients with the right tools to catch the phish.