Business Email Compromise (BEC) attacks are the most costly and effective forms of phishing. In most cases, these attacks use highly research social engineering to go after the top brass in a company with a motive of stealing corporate dollars or breaching their network.
And, because in most cases these top executives hold the keys to the castle, they make the most suitable target for threat actors.
Phishing is defined as social engineering using digital methods for malicious purposes. And just like any other phishing attack, a threat actor will use social engineering, rather than a technical flaw or malicious attachment, to meet their goal.
Though CEOs and other high-profile executives are the focal point, it's not unheard of that a threat actor will start lower in the org chart to compromise an account, and then attack from within.
Targeting Executives Beyond Money
Although wire fraud is the most common focus for BEC attacks, it's not the only outcome of spearphishing that targets a company. The biggest and most recent example? John Podesta's emails, which was among 20 staff members who were targeted and clicked on a phishing email.
In a New York Time's report, they stated that “among the list of targets were more than 100 email addresses associated with Hillary Clinton's presidential campaign, including Mr. Podesta's. By June, 20 staff members for the campaign had clicked on the short links sent by Russian spies."
Similar, Australia's Parliament House was also breached as a result of similar spearphishing attacks. Though nation-state attackers have a library of techniques at their disposal, at times, they employ phishing to target executives in an effort to steal private or confidential data.
According to the Verizon DBR, “23% of the analyzed breaches were attributed to nation states or state-sponsored actors, compared to just 12% in the 2018 report. The 2019 Verizon DBIR also stated 25% of breaches were motivated by cyberespionage, compared to just 13% of breaches in last year's report."
On a smaller scale, HR executives are also likely targets, too. If a threat actor wants to obtain private company information, a well crafted spearphishing campaign could net them direct information. In some cases this may come in the form of a law firm or internal employee requesting specific excel documents or other sensitive materials. In more cases, these confidential information is then used to further propagate future attacks, especially those with financial motivations.
Posing as CEOs and Executives
Just as common, if not more so, key roles within the org chart are often the targets of threat actors who intend to have money wired to them. Posing as a CEO or other high profile executive, a threat actor will write a brief, urgency laden email, and prompt someone with financial controls to pay an invoice or other common financial transaction. In some cases, once a threat actor breaches an account, they will then use the victim's email to send out fake invoices to vendors or customers in an effort to collect funds.
And, unfortunately the examples are near endless.
In 2015 Ubiquiti Networks was hit:
“The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company's finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties."
And a year later, even popular toy maker Mattel was hit when a threat actor posed as the newly placed CEO:
“Prior to the attack, the person(s) responsible researched how the company operates regarding payments, and mined social media to learn the names of key individuals (as well as compromise corporate email) in order to make the request look as legitimate as possible."