As traditional phishing attacks become less effective due to organizations’ stronger internal controls, cybercriminals are turning to targeted business email compromise (BEC) attacks.

For these criminals, it’s all about securing credentials, according to John Moeller, principal-cybersecurity at CliftonLarsonAllen. He addressed the 2023 CUNA Cybersecurity Conference with NASCUS Monday in New Orleans.

“Microsoft 365 credentials remain one of the most highly sought after account types for attackers,” Moeller says. “Once compromised, attackers can log in to corporate-tied computer systems.”

Roughly 95% of today’s phishing attempts target credentials, he says, adding that the median amount of time it takes for attackers to access private data after successful phishing attacks is one hour and 12 minutes. It then takes less than two hours for attackers to access corporate networks.

BEC is the costliest financial cybercrime, causing an estimated $2.4 billion in losses in 2021, led by invoice fraud. “Think about how that might occur in your organization,” he advises.

This marks the “industrialization” of cyberfraud, Moeller says. “Attackers continue to improve their business model, whether it’s ransomware as a service or where they link with other nations.”

BEC attacks typically follow this progression, he says:

• The lure. The attacker starts a conversation with the victim to establish rapport, posing as a business colleague or acquaintance. The criminal then switches from a social network, such as LinkedIn, to an introductory email, impersonating a legitimate sender to trick the recipient into clicking on a malicious link.
• The compromise of credentials. The attacker harvests the victim’s credentials and either uses or sells them on the dark web.
• The fraud phase. Attackers use the compromised credentials in sophisticated social engineering using homoglyph email domains. These domains look identical to one the victim recognizes as a valid email provider (i.e., substituting a “1” for an “I”). Email messages are then sent from the hijacked domain with new payment instructions.

The criminal copies an email chain containing a legitimate invoice, then changes the invoice to contain their own bank details. The modified invoice is resent from the homoglyph impersonation email to the target.

Because the context makes sense and the email looks genuine, the victim often follows the fraudulent instructions.

Moeller advises credit unions to create scenarios and hold tabletop exercises to prepare for possible BEC events. Other preventive measures include multifactor authentication, verbal verifications and dual controls for wire transfers, and a policy requiring employees to contact information technology in the event of suspicious activity.

He encourages credit unions to use an outside party to review their Microsoft Office 365 environment to ensure adequate security measures are in place.

“We need to stay on top of these vulnerabilities,” Moeller says.