Cybercriminals rely heavily on social engineering tactics involving trickery and the manipulation of human emotions, to achieve their objectives.
With the professionalisation of cybercrime and the availability of Artificial intelligence, cybercriminals can now more creatively plan and execute formidably convincing and complex social engineering attacks.
The CEO Calls
Imagine an ordinarily astute and hardworking Finance Manager of a medium sized company who receives an email at 9am Monday morning requesting funds be wired to a regular supplier, on ‘their alternative account’.
The email is nothing outside the ordinary. A moment later they receive a call from the CEO buttressing the message in the email and stressing how urgent it was to make the payment and explaining away the modified payment method.
The instruction is clear, so they proceed to make the transfer of £1 million pounds, and who wouldn’t, in the circumstances, after speaking to the CEO himself.
But it turns out, the email is a spoof, and the call from the CEO was only a deep fake cloned voice call.
Enter Business Email Compromise (BEC) orchestrated by deep fake AI technology, now in the toolkit of hackers!
What is Business Email Compromise
Business Email Compromise refers to a cyber threat method where the victim receives an email from the attacker, sent from their own domain which had been compromised, or from a look alike domain or email address, in such a way that it is indistinguishable from regular or correct address. They may also intercept messages flowing within the organisation as well as inbound and outbound emails by implementing forwarding rules to exfiltrate mails to an address they control.
Combined with pretexting, employees are often tricked to send fraudulent payments or even disclose sensitive information when the emails purport to come from senior executives in the organisation, requiring them to do so.
In broad terms, there many varieties of BEC but for practical and illustrative purposes, common examples include data theft, CEO fraud, account compromise, false invoice scheme, and pretexting. Targeting company email accounts of specific departments such as HR or Finance and stealing sensitive data may be an end objective for the attack, but it is often the initial step in what is frequently a multi-stage attack.
Complex, Sophisticated, and Multi-Stage Attack
The data stolen which may include personal information about staff members, their work schedules, and other pieces of information on their habits that are combined to plan and execute more believable and convincing schemes. For instance, coupled with the initial data obtained about the CEO, they may then use spoofed email as in this case to send an email to an employee requesting money be transfer to a fraudulent account. In email account takeover or email compromise proper, the threat actors send phishing emails with links containing malware, which is deployed when the recipient clicks on them, enabling changes in domain configuration and setting up email forwarding rules that enables the threat actor to send emails as if they were from the account, intercept emails to and from the account, thus completely taking over and compromising the account. With information garnered about company supplies and suppliers, the threat actors may execute a false invoice scam where they raise a plausible invoice requesting payment to accounts that they control.
Pretexting or impersonation as in the CEO fraud above can target anyone in the enterprise particularly those who are involved in receipting, paying out money or making purchases like the finance department of a professional services company needing to send out invoices, or personnel who may hold sensitive information including intellectual property or trade secrets.
BEC was already a very methodical, sophisticated and costly cybercrime, without the additional layer of deepfake complexity, and often involved well established professional cybercrime syndicates.
Frequently, it is an enduring, complex and multi-stage combination of social engineering and malware attack, using reconnaissance methods including network scanning, phishing emails to install malware, obtention of information on network, delivery of payload, acquisition of access and administrative privileges, alteration of web and email domain configurations, and implementation of forwarding rules.
The attackers will spend a great deal of time priorly gathering intelligence information about their victims from open sources including corporate websites, social media, and LinkedIn. In a typical case, this is followed by the sending of a phishing email containing malware to the targeted victim, leading to email compromise. Email forwarding rules targeting certain emails or all of emails is then forwarded to an account that the threat actor controls. In this way the threat actor intercepts an email invoice and opportunistically sends an impersonating email via a spoofed email address to the victim, either resending the invoice or requesting a seemingly innocuous change of payment to a different account that they control.
Cashing in-Laughing all the way to the Crypto Bank
The above is a traditional method in terms of payment orchestration in BEC but there are many variations of the threat actors’ modus operandi. In what is sometimes referred to as a second hop transfer, the fraudsters chain in other victims, whose personally identified information will have been priorly compromised via social engineering attack. The altered wire instructions are sent to one victim, so that he or she sends payment to a second victim whose PII has been stolen by the attacker. More commonly these other victims are proxies for the funds and a certain layer of obfuscation and evasion, with the ultimate destination of funds being a cryptocurrency account owned or controlled by the cybercriminal.
Increased Attack Surface, Vulnerability, and the perversion of Artificial Intelligence
Email has evolved to become the backbone of corporate communications today, with hundreds of billions of corporate emails exchanged every day, accessed through a variety of means and using various device types, on company site, and remotely, potentially without corporate grade firewall protection. Remote workers often operate without this much needed network perimeter security, thus missing out on a critical part of layered cybersecurity defence. With the rise in use and with the variety of use types of emails has come the greater vulnerability of end-point data exposure, HTML code hacks, and malware introduction.
BEC is on a fulgurant rise, and the cost to businesses and to the economy, extremely high. Over a two-year period between 2015 and 2017, the FBI recorded a 1300% increase in cases of BEC with exposed losses for businesses totalling $3 billion. The cumulative loss to end of 2023 from BEC, is a staggering $50 billion.
The further transition to remote work because of the COVID pandemic greatly facilitated the further rise in BEC scams with the FBI reporting nearly 20,000 BEC complaints in 2021. Moreover, during the pandemic, the most excuses for change of payment method or payee information was attributed to disruptions due to COVID.
A deepfake cloned voice call orchestration of a business email compromise attack can be very persuasive indeed, almost needing you to be a magician to resist, in what will be an unknown unknown situation for many employees, lacking awareness.
Prevention of BEC generally and BEC orchestrated by AI Deepfake
Controlling BEC requires the implementation of policies, processes and procedures directed at preventing such attacks including ongoing security awareness education for staff, and web and email security controls.
The strongest safeguard surely is in the training of employees to be aware of this trend and to possess practical skills to suspect, recognise and rebuff AI deepfake orchestrated cybercrimes.
Required technical controls include making emails harder to spoof using email authentication tools such as authenticating senders using Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).