“When emotion supersedes reason, gullibility must follow. – Barbara Mertz”
Human history is full of success and failures, love and hate, war and peace, as well as crimes and justice. In the early 1800s, a swindler by the name of William Thompson was dubbed as the “confidence man.” His act was to defraud unsuspecting people by gaining their trust and confidence. He was able to successfully gain money or watches from his victims. Similar acts followed from other swindlers paving the way to the rise of the “Confidence Trick.” This is a method of defrauding victims by exploiting their emotions. Throughout the years, people all over the world have fallen victim to some form of con. It is an experience that continues to this day.
The digital world is not lacking in con artists; malicious actors who have turned their confidence tricks digital. The playing field and the tools may have changed, but the basics remain the same. Prey on a target’s naive trust and extort as much as they can. No individual or business is safe.
The Rise of Social Engineering Threats
Recent data from Risk Placement Services (RPS), a leading distributor of specialty insurance products, reveals a notable surge in fraudulent payments and social engineering fraud—exceeding 50%—among small and medium-sized enterprises (SMEs) from January to August this year. The figures overshadow the 16% credited to ransomware incidents during the same period.
“This trend emerges as ransomware activity has somewhat slowed down,” shared Steve Robinson, RPS’s Area President and National Cyber Practice Leader. “We’ve witnessed a significant uptick in social engineering fraud over the past six months. The shift can be largely attributed to the hybrid workforce brought about by the pandemic.”
Social engineering covers a broad spectrum of cyberattacks grounded in manipulating human error. Norton, a cybersecurity firm and threat intelligence company, labels it “human hacking.” They stress how these methods pivot from exploiting security vulnerabilities to targeting individuals. By pretending to be legitimate entities, cybercriminals dupe users into revealing sensitive data.
The absence of strict controls to verify payment instruction changes in various organizations furthers the rise of social engineering claims. The prevalence of remote or hybrid workforces adds another layer of vulnerability. Relaxed attitudes toward cyber awareness leave workforces more susceptible to social engineering ploys.
Robinson highlighted, “It’s not uncommon for the precautions taken in a formal office setting to be overlooked when the workforce is remote. This creates fertile ground for social engineering attacks.”
Surprisingly, countering social engineering fraud is straightforward. Many enterprises are already familiar with cybersecurity practices that can beat such attacks. “A considerable portion of the risk is due to organizational carelessness,” Robinson emphasized. He illustrated, “For instance, upon receiving an email requesting a change in ACH instructions, instead of verifying the authenticity of the request, they proceed without scrutiny. Subsequently, significant sums vanish.”
The Scam that is BEC
A thorough analysis reveals that social engineering techniques, backed by advanced targeting strategies, are at the heart of the growing success of Business Email Compromise (BEC) scams. Over the last decade, these scams have caused over $50 billion in losses on businesses worldwide. Notably, BEC losses presented a 17% year-over-year surge in 2022, as reported by the FBI.
The FBI’s Internet Crime Complaint Center (IC3) report for 2022 goes into the realm of BEC. They uncovered that US businesses have suffered losses surpassing $17 billion to these scams between October 2013 and December 2022. This figure expands globally. Organizations worldwide incurred losses approaching $51 billion during the same time frame, as per IC3’s received reports.
A more alarming look reveals that 137,601 organizations in the US alone have reported falling victim to BEC over these years, representing all 50 states. However, these figures potentially understate the true scale of BEC. It is because these incidents only account for those reported to the FBI. Therefore, it’s plausible that the actual global losses attributable to BEC are considerably higher than the reported statistics.
BEC is an Evergreen Threat to Cybersecurity
Despite growing awareness and enhanced defenses against BEC—an attack method with more than a decade-long history—it persists as a thriving form of cybercrime.
Security experts attribute BEC’s longevity to a variety of factors. An essential element is the heightened adeptness of attackers in crafting messages that appear entirely authentic to users—a crucial element in the success of these scams, notes Oren Falkowitz, Field Chief Security Officer for Cloudflare.
According to Falkowitz, the key to successful BEC lies in achieving authenticity and credibility in the eyes of the victim rather than relying on cleverness. This entails closely monitoring real-world events and trends and using them to resonate effectively in the virtual realm.
The IC3 report also highlights a rise in BEC attacks on the real estate sector, which reported a loss of $446.1 million in 2022. Though this increase is slight compared to the $430.5 million loss reported in 2021, it signifies a nearly twofold rise in BEC losses from 2020 when losses stood at $258.4 million.
The surge in BEC attacks on the real estate sector seems to originate from ongoing challenges within that industry, which threat actors have jumped on to exploit. This connection is clear in the commercial real estate crunch and urban redevelopment trends, notes Falkowitz.
The Anatomy of BEC
At its core, BEC is an attack where threat actors manipulate deception and impersonation to compromise legitimate email accounts. They then committing unauthorized fund transfers or obtaining personally identifiable information linked to financial accounts.
While BEC is notorious for inducing substantial financial losses in both corporate and individual domains, its notoriety has somewhat been overshadowed by the rise of ransomware in recent years. Paradoxically, the heightened focus on ransomware may have inadvertently contributed to the surge of BEC. This is due to law enforcement’s intensified pursuit of ransomware gangs led to tighter cyber-insurance policies and sanctions, making BEC a relatively low risk yet immensely profitable option for cybercriminals.
The Magnitude of Social Engineering
The resurgence of social engineering as an effective cybercriminal tactic has strengthened the pervasive and resilient nature of BEC. The Verizon Data Breach Investigations Report (DBIR) of last year underscores the increasing influence of phishing and “pretexting”—a form of impersonation frequently employed in BEC attacks—as dominant forms of social engineering. Pretexting tactics, which improve the appearance of legitimacy in BEC attacks, nearly doubled in 2022 compared to the previous year and now make up 50% of all social engineering incidents.
Social engineering relies on exploiting trust, often gaining unauthorized access to a figure of authority and impersonating them. This tactic significantly reduces the victim’s reason to doubt, resulting in ill-considered actions.
Mitigating the BEC Menace
As BEC’s success continues, organizations must strengthen their defenses with more robust security measures. Avkash Kathiriya, Senior Vice President of Research and Innovation at Cyware, urges that while enterprises have made notable strides, they remain susceptible to increasingly sophisticated social engineering scams, especially among smaller businesses and individuals.
Given the human element and the inherent vulnerabilities in traditional security systems, a holistic approach is needed. Igor Volovich, Vice President of Compliance Strategy at Qmulos, suggests that real-time continuous monitoring and assessment of internal security controls can quickly identify peculiarities or failures that might lead to BEC incidents.
Furthermore, emerging technologies like generative AI, as used by BEC attackers in crafting messages, could be used by organizations to defend against such attacks. Patrick Harr, CEO of SlashNext, recommends utilizing AI capabilities that fuse natural language processing, computer vision, machine learning, relationship graphs, and contextualization to defeat layered messaging attacks.
Strengthening employee education is also critical. Mika Aalto, CEO of Hoxhunt, emphasizes the importance of nurturing a robust cyber awareness training culture. This can empower employees to recognize malicious campaigns and messages. BEC attacks often send out fake social media profiles, blogs, and email accounts to establish trust, making cyber education important.
As BEC attacks frequently start with phishing campaigns or social engineering tactics, it is crucial for organizations to foster a proactive approach to cyber awareness training. This sentiment is echoed by Jay Gohil, Risk Manager at Cowbell, who highlights the significance of strong cyber insurance solutions empowered by AI.
In the relentless realm of cyber threats, BEC’s sophistication demands strategic vigilance and a thorough response, further fortifying the defense against this damaging form of cybercrime.
About IPV Network
Since 2016, IPV Network has been a trusted partner of leading enterprises in the Philippines. It brings the best-of-breed cybersecurity solutions. IPV network helps businesses identify, protect, detect, respond, and recover from cyber threats. Email us at [email protected] or call (02) 8564 0626 to get your FREE cybersecurity posture assessment!