BEC fraud is a structural problem for European businesses
Cybercriminals use spoofed business e-mail addresses to con their victims
Over the last 12 months, 70 per cent of European businesses have been targeted by business e-mail compromise attacks. In 21 per cent of cases, these 'BEC attacks' were at least partially successful, according to a survey of 1,000 European businesses carried out by Sapio Research for Arctic Wolf. Also known as CEO fraud, BEC fraud involves a scammer pretending to be an executive, manager, officer or partner of a business or another organisation in order to trick someone working there into sending money or sharing confidential information.
AI makes convincing scams easier
The growth of BEC fraud is partly down to technological developments. Until recently, a scammer posing as someone else was unlikely to get very far unless they did a lot of research first. What kind of style and tone does the person use in their e-mails? How are they with their colleagues and partners? Recent advances in AI have made it much easier for scammers to be convincing, though. And made the task of detecting scams much harder. On top of which, AI rarely (if ever) makes spelling or grammatical errors.
Not long ago, the crooks' favoured approach was to use a template, then 'personalise' it to generate a large volume of spam. The weakness of that approach was that, once a given scam had been identified, spam filters could easily recognise all other messages based on the same template. However, AI enables the scammers to generate huge volumes of personalised mail, where individual messages bear little resemblance to one other. It's even possible to mimic someone's writing style and adapt the message content to match their relationship to the recipient.
Increasingly sophisticated
Originally, BEC fraud was a way of tricking victims into sending money. However, a scam of that kind is a labour-intensive, multi-stage process. As such, it's only worthwhile for a crook if a large amount of money is involved. Especially now that so many organisations have adapted their purchasing processes and introduced stricter procurement rules. So, instead of requesting payment of a new invoice, scammers have taken to sending reminders about invoices already cleared for payment – but with a fraudulent account number inserted. Many organisations don't yet have systems for countering the ploy. A reminder is sent, which appears to come from a genuine supplier, but doesn't state the amount or number of the unpaid invoice. Relying on the probability that the targeted organisation will have an unpaid invoice from the supplier, what the scammers aim to do is get the payee account number changed in that organisation's payment system. Then, when the genuine invoice is paid, the crooks will get the money.
Hybrid vishing
Hybrid vishing involves e-mail and phone calls. The targeted organisation is first mailed, then the scammer calls to chivvy the recipient into dealing with the mail. In 2023, 45 per cent of BEC attacks in the US followed that pattern. A follow-up phone call tends to make targets more willing to accept a scam e-mail at face value and assume that the source is legitimate.
Lookalike domain names used in 3 per cent of attacks
Registering a lookalike domain name is another tactic that cybercriminals tend to use only for high-value targets. Usually, they prefer to rely on recipients seeing an e-mail sender's display name, and not looking at the actual 'From' address, which is often a free mailbox linked to a Gmail account or similar. The 3 per cent of attacks that do make use of lookalike domains nevertheless involve several billion messages a year, and therefore represent a significant threat. Fortunately, a growing number of businesses are using domain name monitoring services to reduce the risk.
Want to know more?
Visit sidn.nl for advice on how to protect your business against BEC fraud.
