BEC is an impersonation scam
At its core BEC is a criminal hacker posing as someone that’s trusted for the purposes of stealing money. And criminals took $3B from US businesses in 20231 by this method. It’s unsettling to consider an attacker observing the interactions between a victim and a person the victim trusts, biding time, developing rapport until the actual strike. But that’s the way these criminals operate – limited in each scam only by their cleverness.
The creep factor of BEC
Simple BEC attacks may involve a phishing email from a known sender, more advanced attacks can involve a combination of techniques. But one of the factors that distinguishes BEC attacks from traditional phishing is the criminal’s knowledge of the target organization. This insider knowledge can be obtained by:
The web Attackers may research a company’s website, news articles and other public sources to learn about its operations and personnel.
Social media Criminal hackers may watch social media platforms to gather information about employees and their personal lives that can be used to manipulate them.
Social engineering Attackers may trick employees by first building trust and then manipulating them to perform actions, like revealing information, that aid the attacker. They may use against the victim the emotional pressures of wanting to be seen as efficient in the eyes of a boss or fear that not complying will result in bad consequences.
Phishing attacks Attackers may use emailed phishing attacks to trick victims into clicking on malicious links or opening attachments that contain malware to gain access to the target organization’s network.
Malware Criminals may deploy malware to gain unauthorized access to a business network and gather sensitive information.
Supply chain attacks Attackers may infiltrate and monitor a supplier’s accounting department to more accurately impersonate their transactions. Or attackers may breach vulnerable software to gain access to the target organization’s network.
Once the con-artist has obtained insider knowledge, they can tailor their attacks to be more convincing and effective. According to Bryley partner Mimecast attackers generate high ROI from low-tech attacks that contain no payload but social-engineered text.2