Attack Stories: A Sustained & Targeted BEC Campaign On A Manufacturing Company

What is Business Email Compromise (BEC)

Business email compromise (BEC) — also known as Email Account Compromise (EAC) — is one of the most financially damaging online crimes. These are emails that appear to come from a known or trusted source making a legitimate request. These impersonation attempts typically take the form of:

• A vendor or supplier requesting a payment

• A high-ranking exec requesting a purchase or some kind of financial transaction

• An employee requesting a change to their payroll information.

BEC scams are often highly researched, with cybercriminals targeting employees that have the ability to authorize payments or have access to financial systems. Business Email Compromise scams are regularly successful and highly lucrative.

BEC Attacks Reported 4x More Than Ransomware

The 2020 FBI Internet Crime Complaint Center (IC3) report found that the numbers of BEC crimes (19,369) were around four times the numbers of reported ransomware attacks (2,474), according to Infosec Institute’s report, The state of BEC in 2021 (and beyond). Does this imply that BEC scams are 4 times more prevalent in terms of volume than ransomware attacks or, that email filters are 4 times more successful at detecting ransomware than BEC? The truth is likely somewhere in between. Many email filters struggle with BEC scams when they contain no links or attachments, like the two examples below.

How Mesh Helped Protect Reading Bakery Systems Against 50+ Targeted BEC Emails In a 7-Day Period.

Reading Bakery Systems, a leading manufacturer of bakery equipment, has been a Mesh customer since 2021. On average, they receive between 7-10 BEC attacks per month. Recently, they were on the receiving end of a targeted campaign by cyber criminals that saw them targeted over 50 times over the course of a week.

Many of the attacks followed two main themes - impersonating a high-ranking executive and targeting the accounts and purchasing teams, or impersonating the employee and targeting the HR/payroll teams, sometimes impersonating different staff and targeting different recipients.

We examine the two most-seen examples below.

Impersonating A High-Ranking Exec

In this example, the attacker has created a Gmail account using the first and last name of a high-ranking executive from the company. The email is targeting a member of the purchasing team and attempts to move the conversation out of email immediately. The attacker is looking to apply pressure to the user with a subject line of “Quick answer” and uses words like “urgent” and “immediately” in the message body.

These kind of social engineering techniques are often successful in manipulating the recipient to bypass internal policies and procedures out of fear of not following orders from their leadership team.

From a filtering perspective, the language is generally benign and the email contains no links or attachments.

The second phase of scams like this are likely to be a request for finances and/or information. As this example was targeting a person from the purchasing team, it’s likely the next step would have been to request a payment is made or gift cards are purchased.

The Payroll Scam

In this example, the attacker has again used a free domain, this time a popular Czech email service. The target of the email is a person in the HR team and the attacker is impersonating an employee, not a person in a position of authority.

Depending on the configuration of the recipient’s mail client, the full email address may not be visible and it may only show the display name - which is that of an employee. Again, there are no malicious attachments in the message body, making it difficult for traditional email filters to detect and block the email. When successful, depending on the frequency of payroll, these scams can go undetected for many weeks and can result in serious financial losses for the organization.

The Solution

One of the key reasons Reading Bakery Systems implemented Mesh was its proven ability to detect advanced, malware-less BEC attacks. By combining predictive threat intelligence, impersonation detection, and dynamic content scanning, Mesh is able to detect and block the most sophisticated types of Business Email Compromise attacks, protecting organizations, their employees, and their data.

Conclusion

Now more than ever, organizations are looking towards their MSP or technology provider to help them protect their employees against advanced forms of impersonation and social engineering scams.

Mesh provides specialist protection against BEC attacks as part of their platform that was BUILT FOR, NOT ADAPTED FOR managed service providers.

For more information on how Mesh provides MSPs with the tools to protect their clients, request a free trial or NFR account today.