BEC Attacks! Empowered by AI Tools

Across all BEC attacks seen over the past year, 57% relied on language as the main attack vector to get them in front of unsuspecting employees, according to Armorblox.

Our 2023 Email Security Threat Report is out and reveals some powerful insights into today’s email threat landscape. 📧 The report covers everything from #phishing and vendor compromise to #graymail and #BEC. Read our blog for a recap of the key findings: https://t.co/rDEoK9PnWw pic.twitter.com/bBkSIvsu7O

— Armorblox (@armorblox) April 12, 2023

Microsoft defines BEC as “a type of cybercrime where the scammer uses email to trick someone into sending money or divulging confidential company info. The culprit poses as a trusted figure, then asks for a fake bill to be paid or for sensitive data they can use in another scam. BEC scams are rising due to increased remote work—there were nearly 20,000 BEC complaints to the FBI last year.”

Beyond the basic: BEC variants demystified

BEC attacks encompass a variety of attack types, each employing a different set of techniques to circumvent traditional security measures. These attack types include:

• Payroll diversion fraud: Targeted emails designed to fraudulently solicit a change in direct deposit information to steal from an employee.

• Email account compromise: Attackers gain control of a valid email account via credential phishing. The attackers exploit the account further to compromise customers, third-party vendors, and internal employees.

• Vendor email compromise: A long-term business email compromise attack that uses legitimate third-party email accounts to compromise the vendor’s clients further.

• Advanced credential phishing: Attackers distribute emails containing malicious zero-day URLs, often hiding the final credential phishing site behind numerous redirects and counterfeit pages.

BEC attacks: What lies ahead

In addition, monetary deceit, such as payroll, payment, and invoice fraud, surged by 72% throughout 2022. They are projected to maintain their upward trajectory in 2023, particularly in light of the banking upheaval frequently making headlines.

Given the existence of tools like ChatGPT, there is an anticipated substantial surge in the quantity of Business Email Compromise (BEC) emails inundating employee inboxes within organizations in 2023. This will be accompanied by a growing number of campaigns that leverage pretexts associated with remote work to target employees, owing to the increasing prevalence of hybrid work arrangements.

Concluding note

Complex problems in cyber security have been over-engineered. Although the complexities have been made into a simple solution for both ethical and unethical users, some lack has given access to unethical ones to exploit the good.

Cloud security solutions are the ultimate need for organizations today, but they still lack meta-data-based detection, email authentication checks, content protection, and unified context and learning.

So today, relying on machine-based security is not enough. The security will come through all tiers, surroundings and workforce. Stay safe and secure!