The scammers pose as a trusted contact, like your boss, a colleague, or a business supplier, usually requesting that an urgent or important financial transfer must be made. The plan is to trick the victim into making the financial transfer into an account owned by the scammers.
If the payment is made, the fraudsters take the money and run -- so, even if the payment is recognized as fraudulent in hindsight, there's not much that can be done because the money is gone.
The attacks don't require malware or phishing links, just email and a bit of social engineering, making it difficult for them to be detected by some antivirus software -- which is one of the reasons they're so effective.
Scammers don't even need to speak the language of the people or organizations they're targeting: analysis of some prolific BEC campaigns by researchers at Abnormal Security suggests that email fraudsters are turning to machine learning-powered translation tools like Google Translate to help compose emails used in the attacks.
This technique is enabling widespread BEC campaigns for an expanded array of cyber-criminal groups, who can cast a larger net at minimal cost.
"Attacking targets across various regions and using multiple languages is nothing new. However, in the past, these attacks were perpetrated mainly by sophisticated organizations with bigger budgets and more advanced resources," said Crane Hassold, director of threat intelligence at Abnormal Security.
"For example, to effectively translate email text for more believable social engineering efforts, organizations often hire native speakers. But, as technology becomes more accessible and affordable, it lowers the barrier to entry," he added.
The payment fraud campaigns have been distributed in at least 13 different languages, including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Spanish, and Swedish.
One campaign, by a group which researchers have dubbed Midnight Hedgehog, uses executive impersonation to deceive recipients into making payments for bogus services -- usually by posing as a company's CEO.
They conduct thorough research on their target -- finance managers or other executives responsible for initiating the company's financial transactions -- including their responsibilities and relationship with the CEO, as well as convincingly spoofing an email address that looks like it comes from the CEO.
In one example, the template involves the 'CEO' making an urgent request for a payment of between $17,000 to $45,000 to a company in the UK, with the email written in one of several different languages depending on the location and native tongue of the victim.
Another group, named Mandarin Capybara, uses similar techniques to distribute BEC scams in multiple languages. They also spoof executives, asking their victims to change payroll account information -- which, if implemented, will result in business transfers being sent to the account owned by cyber criminals.
In some cases, they've used the same spoofed email account to send out emails in multiple languages.
The reason cyber criminals continue to send out BEC campaigns like these is simply because they work; there are victims who see these messages, believe they're real and act upon instructions that they think are coming from their boss -- especially if they're written with correct spelling and grammar, and in the known style of the sender.
"As email marketing and translation tools become more accurate, effective, and accessible, we'll likely continue to see hackers exploiting them to scam companies with increasing success," said Hassold.
In addition to deploying appropriate cybersecurity tools to help catch BEC attacks, it's recommended that organizations have procedures in place to ensure that large financial transactions can't be made with the approval of just one person, and that people should be trained to be on the lookout for payment fraud attacks.
"It's important that organizations use email defenses that look for threats in a more holistic matter to be able to prevent more sophisticated BEC attacks. Defenses that simply rely on static or 'known bad' indicators will have a hard time detecting these attacks, which is why tools that leverage behavioral analytics are better equipped to spot more advanced BEC threats," said Hassold.