“Uncovering the BEC Scheme: How Israeli Connection Paved the Way to Attack Multinational Companies”

An Israel-Based Threat Group Carries Out Sophisticated Business Email Compromise Campaigns

A new report from Abnormal Security, a US-based cybersecurity firm, highlights the growing prevalence, geographic expansion, and sophistication of Business Email Compromise (BEC) attacks, with an Israel-based group found to be targeting primarily large and multinational enterprises. The group has conducted over 350 BEC campaigns since February 2021, using email attacks that have targeted employees across six continents. As part of the scheme, the attackers impersonate the CEO of the targeted employee and use a second external persona, often a mergers and acquisitions attorney, to oversee the payment process. To accelerate the attack and reduce the evidence trail, the attackers request that the conversation move from email to a voice call on WhatsApp. 

From Nigeria to Israel

The report claims that historically, West Africa, and Nigeria in particular, have been the main centres of BEC scams. Of all the analysed attacks, 74% originated in Nigeria, followed by the UK (5.8%), South Africa (5.7%), and the US (3.6%). Comparatively, countries in Asia and the Middle East, like Israel, have been at the very bottom of the list, where only 1.2% and 0.5% of BEC actors are based, respectively. In this instance, the research team could not definitively categorise them as Israeli, so they simply note their confidence that the group is operating out of Israel.

Increasing Sophistication of BEC Attacks

As cybersecurity measures improve, criminals have become more savvy in their attacks. Instead of generic phishing emails, increasingly sophisticated, socially engineered BEC attacks are becoming more prevalent. The Israel-based group’s attack method serves as an example of this sophistication. They used various tactics to make their emails look legitimate and remain undetected by the human eye or traditional email security solutions. For example, the group targeted senior leaders who could reasonably be involved in a financial transaction. Moreover, they used two personas, a CEO and an external attorney, and spoofed email addresses using real domains so that the email seemed credible, even to those businesses with DMARC policies in place. Lastly, the group translated their emails into the language used the most by the targeted organizations. 

BEC Attacks Continue to Grow

BEC attacks, like the one discovered by the Abnormal Security team, are continuing to grow in frequency, geographic expansion, and sophistication. These types of attacks can cause severe financial devastation to their victims, with the amount of money requested much higher than in the past, with requests falling within the range of $700,000. As email remains a lucrative attack vector, hackers are also predicted to move into other communication and collaboration tools such as Slack, Zoom and Microsoft Teams. All businesses should, therefore, ensure that their cybersecurity measures are as robust as possible. 

Recommendations for Enhanced Security Measures

Given how crucial email is to businesses, it is essential to implement proactive measures to prevent BEC attacks from reaching the inbox at all. Solutions that use behavioural AI to identify anomalies and block malicious content can detect and stop sophisticated attacks more easily. Consolidating visibility across all communications tools, including those mentioned above, can also help improve security teams’ ability to detect suspicious and malicious activity, no matter where attacks originate. Security awareness training should be an integral part of any security strategy, and employees should be trained about BEC risks, and what they look like. The cybersecurity industry anticipates that as organisations strengthen their defence measures, cybercriminals will adapt accordingly, reinforcing the need for robust protection on all communication channels.