How the Most Significant BEC Attacks of 2021 Unfolded

From health authorities to non-profit groups and municipal governments, organizations of all types and sizes fell victim to significant Business Email Compromise attacks in 2021. Find out how the most damaging and costly attacks unfolded and discover the most effective defense strategies.

By Diana
4 min read

In recent years, BEC (business email compromise) attacks have become an especially common form of cybercrime. A recent report found that 43% of businesses had suffered a serious cybersecurity incident just within the previous year. The same study found that 35% of businesses said BEC attacks accounted for over half of the security-related incidents.

These highly targeted email attacks are particularly successful because they evade many traditional email filters and standard security solutions. Instead of using malicious links and attachments that are discoverable by most traditional defenses, BEC criminals employ social engineering tactics to fool employees and executives. In many cases, the bad actors do considerable research before launching the attack, allowing them to effectively imitate someone who the user would trust.

What makes BEC attacks especially dangerous is that they play on human error. A quick overview of the most significant attacks in 2021 shows that no organization is safe from compromise—unless they commit to the right security solutions and strategies. Both multinational corporations and small organizations saw their systems attacked. By learning about the challenges that these organizations faced, companies can mitigate the risk of a BEC attack more effectively.

1. €14.7 Million Attack on the State of North Rhine-Westphalia

The coronavirus pandemic put unprecedented pressure on the healthcare industry, and cybercriminals were quick to take advantage. In a COVID-related attack, Dutch and Nigerian criminals nearly stole €14.7 million from the German state of North Rhine-Westphalia. Fortunately, the government agency was eventually able to recover the missing funds.

For this attack, the criminals employed a classic wire fraud strategy. First, they created a clone of the website of a real personal protective equipment supplier based in Spain. Then, they compromised the supplier’s email addresses and sent fraudulent emails to the German health authority.

Officials from the state of North Rhine-Westphalia believed they were doing business with a legitimate company in Spain. In fact, they were paying for supplies that never actually arrived. By moving the money quickly from Europe to Nigeria, the attackers managed to evade immediate reprisals. The funds were eventually returned after Interpol and the German authorities got involved.

2. $2.3 Million Attack on the Town of Peterborough, New Hampshire

A BEC attack on the small town of Peterborough, New Hampshire, cost the municipal government $2.3 million. The attackers employed spear-phishing tactics, impersonating both a local school district and a construction company while requesting money from specific town employees. Unwitting officials sent the money directly to the criminals, thinking they were simply carrying out their professional duties.

The town’s finance department discovered that the funds had been misdirected, but at that point, it was too late to intervene. The attackers have since converted the stolen funds to cryptocurrency, and the local government was left with no choice but to accept the significant hit to the budget.

3. BEC Attack on Non-profit Food Bank Philabundance

Philabundance, a hunger relief group in Philadelphia, fell victim to a BEC attack in early 2021. In this case, the criminals posed as a construction company that was working on a new building for the charity. The construction project amounted to $12 million. When an unsuspecting employee received an invoice from the apparently legitimate supplier, they wired $923,533 to the attackers’ account.

Philabundance only learned of the mistake when the actual construction company asked for payment a few weeks later. With the original payment already in the criminals’ hands, the organization had no choice but to pay again.

4. 40 Organizations Attacked by Cosmix Lynx

Cosmix Lynx is a Russian BEC gang that launched more than 40 BEC attacks against organizations in 19 countries, only in 2021. By successfully imitating actual partners and clients of major companies, the group has extracted millions of dollars from companies around the world.

With most attacks, Cosmix Lynx follows a consistent playbook. First, they identify businesses that are on the verge of buying another company. Then, they impersonate the CEO of the company and email an employee, asking them to consult with a lawyer to complete the payment for the upcoming purchase. From there, they impersonate an actual lawyer and request money from the fooled employee. The average payment for Cosmix Lynx is $1.27 million, but the group would also ask some companies for much more.

5. BEC Attack on Non-profit Group One Treasure Island

One Treasure Island, a non-profit group that helps settle homeless and low-income people in the San Francisco Bay area, also fell victim to an intricate business email compromise attack. The bad actors breached a third-party bookkeeping system, inserted themselves into email chains, posed as the non-profit’s executive director, and sent fake invoices to an employee. The One Treasure Island employee sent $650,000 to the criminals’ bank account, and only $37,000 was eventually recovered.

Preventing BEC Attacks with a Proactive Approach to Email Security

BEC attacks are becoming increasingly complex, and preventing them requires a proactive approach to email security. By actively fortifying their defenses, organizations can block attacks before they reach their emplooyees’ inboxes. When taking this proactive approach, organizations need to bolster both their human and technological resources.

With many business email compromise attacks, the employees themselves represent the targeted vulnerability. To prevent employees from making costly mistakes, organizations need to conduct rigorous, regular cybersecurity training. They should educate every member about the dangers of a BEC attack, and direct extra attention to the finance department and other areas that are especially likely to be targets. They can also provide updated materials to employees in response to quickly developing tactics, and institute a set of policies for reporting suspicious email-related activity. Everyone within the organization should understand the standard protocols. There’s no way to eliminate employee error from the equation, but organizations can give employees the resources they need to identify potential attacks.

In addition, this human-focused approach should be supplemented with advanced technological defenses. Machine-intelligent security solutions can identify threats before they even reach employee inboxes. By understanding common patterns of communication within the company and flagging any anomalous behavior, these programs can serve as a viable first line of defense. In concert with employee training, machine-intelligent systems will mitigate any organization’s risk of falling victim to business email compromise.

If you want to learn how xorlab can protect your organization against BEC attacks, request a demo today.