13.08.2019
Threat Spotlight: Barracuda Study of 3,000 Attacks Reveals BEC Targets Different Departments
One of the most prevalent types of cyberfraud is the Business Email Compromise, or BEC scam. These attacks are responsible for billions of dollars in fraud losses over the last few years, and the criminals keep getting better at scamming their victims.
In this Barracuda Threat Spotlight, we take a look at the different types of BEC attacks that have been analyzed by the Barracuda Sentinel Team.
Highlighted Threat:
Criminals use Business Email Compromise (BEC) attacks to obtain access to a business email account and imitate the owner’s identity, in order to defraud the company and its employees, customers or partners. In most cases, scammers focus efforts on employees with access to company finances or payroll data and other personally identifiable information (PII).
The Details:
To better understand the goals and methodology of BEC attacks, we compiled statistics for 3,000 randomly selected BEC attacks from the Barracuda Sentinel system. Table I summarizes the objectives of the attacks:
BEC Objective | Link Included | Percentage |
Wire Transfer | No | 46.9 |
Click Malicious Link | Yes | 40.1 |
Establish Rapport | No | 12.2 |
Steal Information (PII) | No | 12.2 |
TABLE I: The objective of BEC attacks as a percentage of 3,000 randomly chosen attacks. 59.9% of attacks do not involve a phishing link.
The above table summarizes the objectives of the attacks. The results show that the most common BEC in the sampled attacks is try to deceive the recipient to do a wire transfer to a bank account owned by the attacker, while about 0.8% of the attacks ask the recipient to send the attacker personal identifiable information (PII), typically in the form of W2 forms that contain social security numbers. Here's a recent example of a wire transfer BEC with the names and addresses redacted:
About 40% of attacks ask the recipient to click on a link, as you see in the following example:
12% of attacks try to establish rapport with the target by starting a conversation with the recipient (e.g., the attacker will ask the recipient whether they are available for an urgent task). For the “rapport” emails, in the vast majority of cases, after the initial email is responded to the attacker will ask to do a wire transfer.
An important observation is that about 60% of BEC attacks do not involve a link: the attack is simply a plain text email intended to fool the recipient to commit a wire transfer or send sensitive information. These plain text emails are especially difficult for existing email security systems, because they are often sent from legitimate email accounts, tailored to each recipient, and do not contain any suspicious links.
We also sampled attacks from 50 random companies and classified the roles of the recipient of the attack, as well as the impersonated sender. The results are presented here in Table II:
Role | Recipient % | Impersonated % |
CEO | 2.2 | 42.9 |
CFO | 16.9 | 2.2 |
C-Level | 10.2 | 4.5 |
Finance / HR | 16.9 | 2.2 |
Other | 53.7 | 48.1 |
TABLE II: The roles of recipients and impersonated employees from a sample of BEC attacks chosen from 50 random companies. C-level includes all executives that are not the CEO and CFO, and Finance/HR does not include executives.
Based on the results in Table II, the term “CEO fraud” used to describe BEC is indeed justified: about 43% of the impersonated senders were the CEO or founder.
The targets of the attacks are spread much more equally across different roles. However, even for impersonated senders, the majority (about 57%) are not the CEO.
As you can see, almost half of the impersonated roles and more than half of targets are not of “sensitive” positions, such as executives, finance or HR. Therefore, simply protecting employees in sensitive departments is not sufficient to protect against BEC.
'Based on the results of the Barracuda Sentinel attack analysis, the term 'CEO Fraud' as
used to describe BEC is indeed justified' ~ Asaf Cidon
Take Action:
- Wire transfers should never go out without an in-person conversation or phone call. Use additional care with phone calls if the only contact information is included in the potentially fraudulent email.
- Because the CEO is the most impersonated role, users should take extra care with emails from this account. If the CEO is making a request or if it is unusual to receive email from the CEO, the user should confirm the legitimacy before taking action.
- Implement a training program that teaches users how to spot a BEC attack, and use that program to continually train and test them on updated techniques.
- Deploy an email protection system like Barracuda Sentinel to automatically stop spear phishing and cyberfraud attacks that lead to a successful BEC scam.
Barracuda Resources:
Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is the only solution in the market that can automatically prevent email account takeover. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time, including emails that originate from within the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.
User Training and Awareness — Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training. Barracuda PhishLine provides comprehensive, SCORM-compliant user training and testing as well as phishing simulation for emails, voicemail, and SMS along with other helpful tools to train users to identify cyberattacks.
Read all Barracuda Threat Spotlight articles here.