The U.S. Federal Bureau of Investigation today issued a warning that cybercriminals are taking advantage of the COVID-19 pandemic to expand their business email compromise attacks.

The bureau noted that a typical BEC scam involves victims receiving emails they believe are from a company they normally conduct business with, but this email requests funds be sent to a new account or otherwise alters the standard payment practices. The FBI is now seeing COVID-19 being used as a false reason for the change of payment practices.

Recent examples of COIVD-19 BEC attempts include a financial institution receiving an email claiming to be from the chief executive officer of a company requesting that a previously scheduled transfer of $1 million be moved up and the account changed “due to the coronavirus outbreak and quarantine processes and precautions.”

In another case, a bank customer was emailed by someone claiming to be one of the customer’s clients in China who requested that all invoice payments be changed to a different bank as their regular bank accounts were inaccessible because of a “coronavirus audit.”

“BEC attacks are a concern for security professionals, chief security officers and organizations because they continue to be successful,” Mark Chaplin, principal at the information and security risk authority the Information Security Forum, told SiliconANGLE. “Conversations with security professionals in different industry sectors indicate an increase in the volume of BEC-related communications entering corporate networks.”

Security officials are seeing an unprecedented rise in increasingly sophisticated email-based attacks, he added.

“These increased volumes are putting existing layers of protection under greater pressure, resulting in the exposure of the endpoint device and, ultimately, the employee,” Chaplin explained. “Additionally, criminals have become more sophisticated by considering the psychological aspects of an attack. They anticipate the range of anti-BEC protection likely to be in place and also exploit circumstances relating to individuals receiving the communication. This has resulted in the most skilled, qualified and security-aware employees falling for a well-crafted, targeted attack.”

Chris Hazelton, director of security solutions at mobile phishing protection company Lookout Inc., said that although many organizations have implemented cybersecurity training with an emphasis on email, most efforts focus on desktop email clients that users can easily check for phishing indicators.

Mobile email is where training falls short, he added. “Most of the indicators of phishing this training focuses on are obscured in mobile email apps – not displaying the sender’s email address and limited ability to preview hyperlinks in email,” Hazelton noted. “This is compounded by heavy reliance on mobile email by organizational leaders operating all hours of the day. These leaders are directing company efforts via mobile email or mobile messaging apps – and are often expecting immediate attention.”

All that creates two opportunities for BEC, he said. An attacker can target multiple people in an organization who are primed to react immediately to emails impersonating company leaders,” he said. “It also means those leaders can be easily influenced themselves by well-crafted emails that seem to come from within the organization.”

This was the second warning issued by the FBI in the last month in relation to BEC scams. The bureau issued a warning March 8 that hackers were targeting Office 365 and G Suite users in BEC attacks.

Photo: J/Flickr