Business Email Compromise (BEC) attacks are among the most costly and effective forms of phishing. These attacks typically rely on carefully crafted social engineering to target top executives, with the goal of stealing corporate funds or gaining unauthorized network access.
Executives are prime targets because they often hold the “keys to the castle,” making their accounts especially valuable to threat actors.
Phishing, at its core, is social engineering conducted through digital channels. Rather than exploiting technical vulnerabilities or malicious attachments, attackers manipulate human behavior to achieve their objectives.
While CEOs and high-profile leaders are often the primary targets, attackers sometimes begin lower in the organizational hierarchy, compromising an account and then moving laterally to reach senior executives.
Targeting Executives Beyond Money
Although wire fraud is the most common focus for BEC attacks, it's not the only outcome of spearphishing that targets a company. The biggest and most recent example? John Podesta's emails, which was among 20 staff members who were targeted and clicked on a phishing email.
As reported in The New York Times, “among the list of targets were more than 100 email addresses associated with Hillary Clinton's presidential campaign, including Mr. Podesta's. By June, 20 staff members for the campaign had clicked on the short links sent by Russian spies."
Similar, Australia's Parliament House was also breached as a result of similar spearphishing attacks. Though nation-state attackers have a library of techniques at their disposal, at times, they employ phishing to target executives in an effort to steal private or confidential data.
According to the Verizon DBR, “23% of the analyzed breaches were attributed to nation states or state-sponsored actors, compared to just 12% in the 2018 report. The 2019 Verizon DBIR also stated 25% of breaches were motivated by cyberespionage, compared to just 13% of breaches in last year's report."
On a smaller scale, HR executives are also likely targets, too. If a threat actor wants to obtain private company information, a well crafted spearphishing campaign could net them direct information. In some cases this may come in the form of a law firm or internal employee requesting specific excel documents or other sensitive materials. In more cases, these confidential information is then used to further propagate future attacks, especially those with financial motivations.
Posing as CEOs and Executives
Just as common, if not more so, key roles within the org chart are often the targets of threat actors who intend to have money wired to them. Posing as a CEO or other high profile executive, a threat actor will write a brief, urgency laden email, and prompt someone with financial controls to pay an invoice or other common financial transaction. In some cases, once a threat actor breaches an account, they will then use the victim's email to send out fake invoices to vendors or customers in an effort to collect funds.
And unfortunately the examples are near endless.
In 2015 Ubiquiti Networks was hit: “The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company's finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties."
And a year later, even popular toy maker Mattel was hit when a threat actor posed as the newly placed CEO: “Prior to the attack, the person(s) responsible researched how the company operates regarding payments, and mined social media to learn the names of key individuals (as well as compromise corporate email) in order to make the request look as legitimate as possible."