The Evolution of BEC Attacks in the AI Era

Since the early days of email, businesses have been targeted by email scams. Many of us remember the “Nigerian Prince” scams from the 1990s, which characterized phishing attacks and managed to deceive thousands of people despite their obvious absurdity. However, as these scams became more prevalent and costlier, awareness about such attacks increased, leading threat actors to switch to more effective tactics.

This shift gave rise to business email compromise (BEC) attacks, which have become increasingly popular over the past decade. The key feature of a BEC attack is impersonation, where criminals masquerade as trusted individuals, often colleagues or company executives, using spoofed email addresses or compromised accounts. They then deceive their targets into revealing sensitive information or authorizing unauthorized financial transactions.

CEO gift card scams have emerged as one of the hallmark BEC types in recent years. Initially highly successful due to their exploitation of human trust, most organizations have now effectively trained (or are actively training) their employees to identify these attacks before they cause harm.

This places threat actors right back at the beginning of their innovation cycle. What will they do next to refine or create new BEC attack tactics to outsmart their targets? According to the latest FBI Internet Crime Report, BECs continue to pose a significant threat to modern enterprises, resulting in billions of dollars in losses each year. Consequently, it’s crucial for CISOs to stay abreast of these evolving tactics.

Here are a few emerging BEC methods that security leaders should be vigilant about.

  1. Vendor Email Compromise (VEC)
    Vendor email compromises operate as a variation of the traditional BEC attack. Instead of impersonating someone within the target’s organization, these attacks impersonate a trusted vendor or exploit a compromised vendor account to execute an invoice scam or other financial fraud. By leveraging social engineering, these attacks exploit the trust and established relationships between vendors and customers. VEC attacks typically request the recipient to pay an outstanding invoice or update billing account details (to a fraudulent bank account) for their next payment. Because vendor communications often involve invoices and payments, these attacks often go unnoticed, unlike the CEO gift card requests commonly associated with BEC. Due to the use of known identities — either by compromising a vendor’s account or spoofing a legitimate domain — VECs are incredibly difficult to detect and can deceive even the most cybersecurity-savvy employees, leading to significant financial losses.
  2. AI-generated BEC Attacks
    In the past, cybercriminals relied on templates for their BEC campaigns, resulting in attacks that shared common indicators of compromise detectable by traditional security software. However, the emergence of generative AI tools like ChatGPT enables scammers to create unique, highly-targeted content instantly, making detection significantly more challenging. Despite Open AI’s restrictions on the use of ChatGPT for malicious content creation, cybercriminals have found ways around these controls by “jailbreaking” ChatGPT or creating their own malicious platforms like FraudGPT and WormGPT. Over the past year, numerous attacks likely generated by AI have been observed. While AI-generated content alone does not directly indicate an email attack, it provides another signal for security teams to evaluate alongside other patterns in email behavior to detect potential threats.
  3. Email Thread Hijacking
    Attackers increasingly utilize email thread hijacking to infiltrate existing and legitimate email conversations. By impersonating one of the parties with a lookalike domain or creating a new identity, attackers hijack the email thread to launch further phishing exploits, monitor emails, learn the organizational command chain, and target individuals who authorize financial transactions. These attacks typically start with account compromise, granting attackers access to the inbox to search for ongoing conversations about payments or sensitive information. They then hijack those threads by copying the conversation into a new email (often with a lookalike or typo squatted domain) and continue the conversation with the original recipients. Because recipients are familiar with the conversation and the attacker replaces the victim, the message often goes unnoticed as a continuation of the conversation, leading to devastating outcomes. By understanding the conversation history and even automating this process through generative AI, attackers seamlessly blend into the conversation. These attacks are especially perilous and challenging to detect because average employees may not realize they are no longer communicating with their known colleague or vendor. Recent instances have seen sophisticated attackers employing additional thread-hijacking tactics, such as copying additional “colleagues” into the conversation, who are actually adversarial counterparts using lookalike domains to increase legitimacy.

Attackers are likely to always favor BEC attacks as their primary choice and will continue to be a leading cause of financial losses. Why? Because they are effective. Humans remain the biggest vulnerability in today’s organizations as they place immense trust in their digital communications. Cybercriminals are aware of this, and we can expect them to continue employing innovative techniques to exploit that trust — using social engineering tactics to gain access, rather than hacking in.

Traditional threat detection products, especially those reliant on detecting known signatures like malware attachments and suspicious links, can only provide limited protection against this threat. Human behavior is not a static indicator of attack, and organizations will require dynamic products that can learn and adjust to user behaviors in their email environment. By basing detection on user behavior signals, teams can identify anomalies indicative of attacks, regardless of their origin or method — whether through a spoofed vendor domain, a compromised executive account, an AI-generated email attack, or any other technique hackers employ to launch BEC attacks.

Intech Hawaii’s Browser Link Protection helps prevent these types of attacks:

  • Business Email Compromise
  • Fake authentication sites
  • Credential theft and account takeover
  • Phishing pages
  • Ransomware/Malware infections

Here’s how Browser Link protection works

  • First, it uses threat feeds to classify known good and known bad URLs
  • Then, it Allows known ‘good’ URLs to continue to website
  • But, it Blocks known malicious content with an end user message
  • Any suspicious or unknown URLs are routed through our isolation environment
  • If AI detects a fake vendor logo on the website, it won’t let the user fill out any login forms or enter other information
Basically, end users still see the suspicious website, but it’s isolated in a virtual machine inside their browser, making it impossible for the end user to enter their credentials into a fake login page.  This completely stops the most common types of modern BEC attacks.  If you are interested in the various ways Intech Hawaii can protect you, contact us.