WEBINARSecure your AI agents in days, not weeks– Discover Polymer’s SecureRAG today!

Request a demo

Download our DLP for AI whitepaper

Polymer

Download free DLP for AI whitepaper

Watch out: Business email compromise attacks get an upgrade with generative AI

Oct 09, 2024
AI Cloud Security Insider Threat

Summary

  • Business email compromise (BEC) attacks have intensified, with cybercriminals using generative AI to craft convincing emails.
  • Highly-targeted scams involving impersonation of trusted figures to manipulate victims into transferring money or divulging sensitive information.
  • Tools like WormGPT enhance the sophistication of BEC emails and enable thread-jacking techniques.
  • For defense, emphasize employee training, multi-factor authentication (MFA), clear policies for transactions, and AI-enhanced data loss prevention (DLP).

In the past year, business email compromise (BEC) attacks have skyrocketed, with malicious actors harnessing the power of generative AI to craft increasingly sophisticated fraudulent emails.

The challenge with these next-generation BEC attacks lies in their complexity; they are not only hard to prevent but also notoriously difficult to detect. However, there are effective strategies your organization can implement to reduce the risks of becoming a victim.

Here’s what you need to know to safeguard your business.

What is BEC? 

Business Email Compromise (BEC) attacks are a highly-targeted form of cybercrime where attackers manipulate unsuspecting victims into transferring money or divulging sensitive information via email or SaaS channels like Slack and Microsoft Teams. These scams are not your average phishing attempt. Instead, they involve impersonating trusted figures—whether that’s an employee’s boss, a company supplier, or a business partner—to create a false sense of legitimacy and urgency.

While phishing attacks are often broad and sloppy, BEC attacks are precise, well-researched, and tailored to their targets. This personalization makes them much harder to spot, giving hackers the upper hand. They dive deep into the company’s structure, studying:

  • Organizational hierarchies
  • Employees with purchasing power
  • Trusted suppliers and partners
  • Personal details and email addresses of employees

With this arsenal of knowledge, cybercriminals craft convincing messages designed to coax employees into transferring funds, purchasing gift cards, or sharing sensitive information. The spoofed email addresses or SaaS accounts make these scams appear even more legitimate, and when paired with the hacker’s impersonation of authority figures and urgency, victims are more likely to comply without a second thought.

BEC: The risks 

While many cyberattacks cast a wide net, BEC attacks are laser-focused, and their objectives go far beyond just a quick financial gain. These attacks typically fall into three distinct categories, each with serious consequences for businesses.

First, there’s the financial gain. The majority of BEC attacks are financially motivated, as highlighted in Verizon’s Data Breach Investigation Report. Hackers often target wire transfers or seek payment in easily monetizable forms, such as gift cards. With a single successful scam, cybercriminals can walk away with thousands, if not millions, of dollars—all with minimal effort and maximum return.

Next, attackers may aim to steal cloud account credentials. By tricking employees into handing over sensitive login details, hackers gain direct access to a company’s internal network or applications. Once inside, they can steal critical data, monitor communications, or cause further breaches, leading to serious privacy violations and reputational damage.

Lastly, some BEC attacks are part of a strategic infiltration. Instead of going for immediate financial reward, these cybercriminals play the long game. Armed with employee credentials, they slowly work their way deeper into the organization’s infrastructure. This gives them the opportunity to launch even more devastating attacks, compromising systems from within and causing widespread damage before anyone realizes what’s happened.

In all three scenarios, the impact of a BEC attack can be severe. Whether it’s an immediate financial loss or a deeper breach that leaves your company vulnerable, the fallout is always costly.

How is generative AI changing BEC? 

The rise of generative AI is making Business Email Compromise (BEC) attacks more dangerous than ever. Cybercriminals are using tools like WormGPT to churn out realistic, personalized BEC emails at scale. These AI-powered messages are eerily convincing, and now, they can be created, translated, and fine-tuned with alarming precision.

One particularly dangerous attack type to watch for is thread-jacking. In these attacks, hackers sneak into legitimate email conversations by using a spoofed domain that looks nearly identical to a trusted contact. 

Here’s how it typically works: The attacker gains access to an inbox through account compromise. From there, they scan ongoing conversations for anything related to payments or sensitive info. Once they’ve found a relevant thread, they create a new email (using a typo-squatted or lookalike domain) and paste in the original conversation. They then feed all the data they’ve collected into a generative AI tool, asking the tool to replicate the exact tone and style of the person they’re impersonating. 

Next up, the hacker continues the thread as if nothing is amiss, with the other recipients none the wiser. Because the conversation seems familiar, employees often overlook the subtle change in sender, and that’s where the danger lies. By the time anyone realizes something’s wrong, the damage is done.

How to defend against AI-enhanced BEC attacks 

When it comes to Business Email Compromise (BEC) attacks, technology alone won’t save you. These scams rely on manipulation, not malware, which means your best defense is a people-first approach. 

Here’s how to make sure your team is ready:

Smart employee training

Your employees are the first line of defense. Empower them to spot BEC attempts by providing clear, actionable guidance. 

Here’s what your team should look for:

  • Out-of-the-blue, urgent requests from execs: If your CEO suddenly “needs” $1,000 in gift cards, it’s time to pause. Encourage employees to verify unusual requests via phone or internal channels like Teams or Slack before acting.
  • Keep-it-quiet requests: Scammers love secrecy. If an email asks to keep the transaction hush-hush, that’s a red flag. Establish a company-wide policy that financial requests should never be confidential.
  • Breaking protocol: If an email suggests skipping over your normal financial processes, that’s another clue it’s a scam. Stick to established procedures—it’s your safety net.
  • Sneaky email addresses: Cybercriminals often use lookalike email addresses to trick people. Train your team to double-check the sender’s domain before moving forward with any requests.

Remember, though, sharing this information with your employees once won’t really help them. Repetition is critical to learning. So, do away the long, boring training days. Instead, integrate learning into your employees’ daily routines through active learning: timely, personalized training nudges that integrate into your workflow—these interventions are three times more effective than regular training. 

Enable MFA

Multi-factor authentication is a simple but powerful way to deter malicious actors from using stolen login credentials. It requires employees to verify their identity twice—typically with a password and a phone code or email link—before accessing their accounts. Even if a hacker gets their hands on a password, they’ll hit a roadblock with MFA in place.

Set clear vendor and partner policies

Establish clear, written policies for handling financial transactions, both inside and outside your company. This way, if something looks off, your employees will know to flag it immediately. It also provides a solid framework for dealing with suspicious requests.

Similarly, make sure your team knows exactly how to report potential BEC scams. A clear protocol will ensure quick action if someone spots something fishy.

Use AI-enhanced DLP

In the event that a hacker successfully steals login credentials, their primary goal is often to gain access to sensitive data. And guess where they’ll start? Right in your cloud applications. This makes it absolutely essential to secure any shared sensitive information with robust cloud data loss prevention (DLP) solutions.

Unfortunately, DLP has earned a bit of a bad reputation over the years. Many people associate it with cumbersome restrictions and inefficiencies. But thanks to advancements in Natural Language Processing (NLP) and machine learning, modern DLP tools have become incredibly accurate. They ensure that malicious actors cannot access sensitive data—even if they have legitimate login credentials—while allowing your team to work without unnecessary disruptions.

Cloud DLP solutions like Polymer DLP are intelligent and contextually aware. They leverage AI-enhanced user behavior and risk analysis to monitor interactions with sensitive data in real-time. This means that if a user begins to act suspiciously—whether it’s accessing files they don’t normally work with or trying to export sensitive data—the DLP engine is smart enough to recognize these anomalies and take the appropriate action. That may be a timely reminder and redaction for an employee prone to making errors, or an alert in the SOC for an employee acting completely out of character. 

Don’t wait for a successful BEC attack to happen to take action. Protect your data from AI attacks now by booking a demo with Polymer DLP. 

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.