4 min read

2022 Wrap Up - The Evolution of Business Email Compromise (BEC)

Read more

By Patrick Hill and Sonali Malhotra


Published 13 December 2022


During the course of 2022, Business Email Compromise (“BEC”) attacks have evolved from threat actors bypassing Microsoft 365 multi-factor authentication (“MFA”) to new threat actors impersonating law firms and baiting target individuals and businesses through social engineering, computer intrusion and emotional manipulation tactics.   According to the FBI's Internet Crime Complaint Center (IC3), BEC attacks have led to over $43 billion in losses between June 2016 and December 2021.  BEC attacks typically result from  a threat actor illegally accessing or imitating an employee’s email account to deceive other employees from the same company, external business partners or clients to initiate fraudulent money transfers.  We consider the latest developments and evolution of BEC attacks below.

Earlier this year, security researchers from Microsoft discovered a large-scale phishing campaign which used HTTPS proxying techniques to bypass MFA and takeover Office 365 accounts.  Typically in such attacks, threat actors gained access to personal email login information and inboxes of the targeted victim using a backend technique known as Adversary-in-the-Middle phishing (“AitM attack”).  Consequently, attackers were able to search victims’ inboxes for email threads referring to financial transactions or invoices which they could subsequently insert themselves in by impersonating the victim, setting up a fake domain name for the company, crafting an email in the victim’s name to send to an external business and provide new financial information for effecting payment of invoices.  Since September 2021, this type of attack has targeted over 10,000 organisations and resulted in billions of dollars of loss globally.  Researchers have stated that it is prudent for companies and organisations to not solely rely on multi-factor authentication to protect against AitM attacks and to set-up third factor authentication which is tied to a physical device such as, an employee’s authorised laptop and/or phone. 

A leading provider of cyber security solutions, Cofense, undertook a five week experiment in July 2022 where analysts purchased $500 in trackable gift cards and engaged in 54 live BEC attacks. They found that the gift card scam unfolds like other BEC attacks, noting that threat actors responded swiftly in moving funds and that in all but one case, each gift card was stolen, re-sold and used for purchase within 24 hours.  During this short period, it is difficult for victims to easily recoup any lost sums.  BEC gift card scams are already evolving as observed by Abnormal Security which have recently reported on the tactics of Lilac Wolverine, a newly discovered BEC group centralised in Nigeria, who deploy a two-stage strategy for such attacks.  Instead of targeting businesses, Lilac Wolverine pursues a high volume of individuals and personal email accounts particularly, North American email services such as, AOL, Yahoo, and Rogers.  They hack into personal email accounts, copy the individual’s contacts, create lookalike accounts on free webmail services such as, Gmail, Hotmail or Outlook and then send spoof emails to the victims’ contact lists initially with a simple inquiry or favour.  Then, should they receive a response, the group will often send a request to purchase a gift card for a fictional friend or family member that may be affected by Covid-19 or cancer with an emotionally-charged plea.  It is evident that BEC gift card scams are growing and becoming more sophisticated through social engineering and emotional manipulation tactics which enable scammers are able to exploit individuals and businesses given the limitations of cyber security.

Another emerging BEC group is, Crimson Kingsnake, which primarily targets and impersonates international law firms to deceive recipients into approving and effecting payment of overdue invoices.   Abnormal Security have been monitoring their activity since March 2022 and have identified 92 domains linked to Crimson Kingsnake that have imitated the domains of 19 law firms and debt collection agencies - including major global practices like Clifford Chance, Herbert Smith Freehills, Deloitte or Morrison Foerster – across the U.S., UK and Australia.  A report by Abnormal Security found, “"When a Crimson Kingsnake actor is questioned about the purpose of an invoice payment, we've observed instances where the attacker sends a new email with a display name mimicking a company executive."  Sophisticated social engineering and impersonation attacks are increasingly prevalent across the methods and tactics employed by BEC groups worldwide.

With the above in mind, it is unsurprising that notifications of BEC claims to insurers remain highly prevalent.  This further reinforces the need for preventative strategies and measures to be deployed across communities and within organisations including, but not limited to, conducting internal phishing exercises and regular internal training on the different types of BEC attacks that can affect individuals and businesses; diversifying the avenues through which employees can authenticate their devices; and, implementing robust email security solutions to name a few. 

We encourage you to share these trends with your peers and colleagues to raise awareness. Please get in touch with the writers should you have any questions or wish to discuss any developments raised in this article.