Business Email Compromise (BEC) Invoice Fraud Skyrockets

• BEC invoice and payment attacks rose by 150% in Q3 2020
• Wisconsin Republican Party loses $2.3 million from Trump re-election fund through BEC invoice fraud
• BEC scams now cause $26 billion in global losses annually

A newly disclosed hack against the Wisconsin Republican Party that cost the political organization $2.3 million highlights the increasing dangers of business email compromise (BEC) to all types of organizations. It's not just anecdotal evidence like this incident that shows it---all of the recent figures indicate that BEC attacks continue to snowball, with payment and invoice fraud perpetrated through BEC experiencing a marked increase in the last quarter.

A new study from Abnormal Security shows that the median number of BEC attacks experienced by companies each week during Q3 2020 rose by 15% compared to Q2. Of particular notice is the rise in invoice and payment scams. Among the reported BEC attempts measured by Abnormal in Q3, the number of invoice and payment BEC attacks rose by 150%.

Disclosed last week, the attack against the Wisconsin GOP Trump re-election fund follows the typical BEC invoice scam playbook. Party insiders detected the incident just two weeks before Election Day. They discovered that BEC "hackers manipulated invoices from four vendors who were being paid for direct mail for Trump’s reelection efforts as well as for pro-Trump material such as hats to be handed out to supporters," according to the Associated Press. Like with many invoice BEC scams, the crooks altered documents so that the political organization would change bank account details and re-route legitimate direct payments to the criminals' accounts rather than those held by the vendors who provided the rightful goods and services.

In some instances BEC attackers will target individuals in the C-suite or the finance department, though Abnormal reports that the bad guys are now increasingly setting their sights on group mailboxes, with the number of those such attacks increasing two-fold in the last quarter. This is frequently aided by running roughshod over cloud-email services increasingly in use for corporate accounts today. For example, one BEC campaign detailed by the firm Mitiga was able to steal $15 million from various victims by impersonating senior executives through clever use of Office 365 and rogue domains to imitate legitimate business email accounts.

According to a recent study of more than 9,000 instances of global BEC attacks between May 2019 and July 2020 by researchers with Agari's Cyber Intelligence Division (ACID), BEC scams are now responsible for $26 billion in losses each year. ACID estimates that BEC attacks now make up 40% of global cybercrime losses, impacting organizations in $177 countries.

Whether it's through invoice manipulation like with the Wisconsin GOP incident, or by other means such as impersonating an employee's CEO or senior management to request a legitimate-looking wire transfer, the hallmark of a successful BEC an enticement to make large wire transfers to criminals. According to the Anti-Phishing Working Group (APWG), the average request from a BEC scam is for $80,183. Some notable BEC operations target companies for far larger sums, with one Russian group fraudulently requesting an average of $1.27 million.

Attackers spend considerable time and resources doing reconnaissance and concocting very targeted campaigns in order to fool their well-placed targets into making extremely costly mistakes. Additionally, they must employ a wide network of money mules in order to absorb and launder fraudulent funds into untraceable accounts. Many of these are "unwitting mules" who are "socially engineered to commit fraud on the behalf of scammers," explain ACID researchers. They say the two most common source of unwitting mules for BEC actors are either romance scam victims or phony work-from-home scams:

"In these scams, victims respond to what looks to be a legitimate job posting and are 'hired' by the scammer. In many cases, these victims go through a formal interview process while the scammers vet their targets. After a victim accepts the 'job,' they are put to work doing a variety of different tasks, which could include receiving and reshipping goods, receiving “payments” from clients, or printing and sending checks. Of course these tasks are all part of fraudulent schemes the victim is unknowingly a part of."

Tricking unwitting mules with this kind of work-from-home ploy has grown even easier for criminals in the fallout from COVID-19, as people have been looking for easy sources of remote income.