Crime BECkons: Business Email Compromise incidents rising year-on-year

What happened? 

CyberCX’s Digital Forensics & Incident Response team just released their annual Year in Review. Concerningly, the team observed a 37% increase in Business Email Compromise (BEC) incidents in 2023. In BEC fraud, a criminal compromises a victim’s email account (typically through phishing). The criminal then uses this access to insert themselves into existing email chains about financial transactions. This can result in a business, or a client or other third party, paying money to a criminal. On average, a BEC incident is less impactful than a cyber extortion attack. But it is much more common – for every 1 cyber extortion incident reported in Australia, 17 BEC incidents are reported. In addition, BEC incidents can still cause significant financial and reputational damage. One incident we responded to in 2023 involved a loss of AUD500,000.   

Why now? 

The growth of BEC crime is consistent with trends CyberCX Intelligence has been monitoring for some time. BEC criminals are becoming more prolific and more capable. As security controls – including Multi-Factor Authentication (MFA) and conditional access policies – have become widely adopted, threat actors have developed new techniques to bypass them. In 2023, CyberCX investigated several incidents where these controls were not enough to protect the organisation.  

We also suspect that BEC criminals are exploiting data leaked in other largescale cyber attacks, including recent data theft extortion cases, to conduct more effective social engineering campaigns, like phishing. Recent breakthroughs in AI are increasing the availability of digital forgeries, which are also starting to increase the success rate and impact of BEC cases. We think AI adoption among cyber criminals will deepen across 2024.  

How could this impact me and my organisation? 

BEC is a threat to all organisations – small and large. The mailboxes of business leaders and their executive support teams are particularly attractive targets for BEC criminals, given the access and influence these accounts have when it comes to financial activities.  

Once a threat actor has gained control of a mailbox, they may conduct a number of activities, including: 

• Adding permissions to mailboxes – typically Finance or Accounts teams. 
• Identifying active conversations regarding payments, invoicing, or transactions.  
• Modifying real invoices or documents that have been used in the past.  
• Hijacking email conversations and providing ‘updated’ invoice or purchase order information with the threat actor’s payment details. 

The consequences of a successful BEC can include significant financial loss, reputational damage and psychological harm to the people involved. 

What should I do? 

Have clear, strict policies for processing payments, and stick to them. The mailboxes of business leaders, and their executive teams, are common targets for BEC criminals. Don’t set a precedent for instigating unexpected payments activity. This makes it more likely your staff will action an unorthodox, malicious request from a criminal. In other words, think twice before sending an “urgent” finance request from your personal email or calling Accounts Payable and asking for an invoice change, without following strict transactions policy. 

Protect your email systems with technical controls and the ‘human firewall’. MFA and conditional access policies can help to prevent BEC incidents. However, threat actors have developed techniques to subvert these controls. Ensure your organisation is using latest phishing-resistant MFA to prevent attackers using “MFA bypass” methods. Additionally, consider your role as a leader whose mailbox is likely seen by criminals as a valuable gateway. Is your phishing training up-to-date? Have you recently conducted a data exposure assessment to understand which credentials related to you are exposed on the internet? 

Notify your stakeholders if you detect a suspected BEC. A successful BEC might not directly impact your organisation. Instead, your compromise might cause a delay in payment or, worse, financial loss to third-party suppliers, customers or other stakeholders. If you detect a suspected BEC, you should let your stakeholders know so that they can take steps to protect themselves. 

Security starts in the c-suite. Executives are high-value targets. Well-connected, they’re gateways to their organisation, sensitive information and professional network. High-profile, they’re easy to find. Trusted and influential, their brand is readily exploited. C-Suite Cyber helps business leaders master their cyber risk.

About CyberCX Intelligence

CyberCX Intelligence is a uniquely Australia and New Zealand focused capability. We have the information, access and context to give executives a decision advantage – whether that’s minimising their personal risk or leading their organisation’s risk posture.

Want more? Contact cyberintel@cybercx.com.au to explore how you could partner with cyber intelligence experts who speak your business language and know your sector. You can also subscribe to Cyber Adviser, our bite-sized monthly intelligence newsletter.