Download your Free eBook
BUSINESS EMAIL COMPROMISE ATTACKS AND
HOW TO PROTECT YOUR BUSINESS!
In previous articles we have provided guidance on how organisations can protect themselves from ransomware and make sure they are prepared should they be hit by ransomware. Ransomware attacks are a successful and highly profitable criminal business model and, as we predicted in early 2017, ransomware attacks have continued to proliferate.
Ransomware is a popular attack method because, unlike most forms of crime, it generates direct revenue for the criminal; there’s no need for complex money laundering or ‘cashing out’. In this article we explore, Business Email Compromise (BEC) attacks, another direct revenue scam that, for many of the same reasons, has been increasingly used by criminals.
BEC attacks are a growing threat to businesses; recent research found that, in the second half of 2017, 96% of organisations were targeted by BEC attacks. Victims can suffer substantial losses; the U.S. Federal Bureau of Investigation (FBI) Internet Crime Report 2017, reported that the BEC and Email Account Compromise (EAC) threat accounted for an adjusted loss of over $675 million last year.
Indeed, losses may in fact be much higher, as this figure is based only on the 15,690 BEC/EAC victims who filed a complaint with the FBI’s Internet Crime Complaint Center (IC3).
Nor is this threat restricted to the U.S. The UK National Cyber Security Centre and National Crime Agency’s recent ‘The Cyber Threat to UK Businesses’ report states that “BEC scams are a serious threat to organisations of all sizes and across all sectors, including non-profit organisations and government. It represents one of the fastest growing, lowest cost, highest return cybercrime operations”.
The report also highlights that BEC attacks can result in significant losses for the targeted businesses; Dublin Zoo was one such victim losing nearly $600,000 as a result. Agari recently reported that Google and Facebook lost a combined $100M to BEC attacks to fraudsters impersonating a supplier, while MacEwan University in Canada were defrauded of $11.8M when attackers impersonated a vendor.
As you can see, BEC is a business threat that you need to understand and be able to protect your organisation against. In this article we will explore:
- What exactly is a business email compromise attack?
- Tactics that cybercriminals are using to deploy these attacks.
- Preventative steps/actions that your organisation can take to protect against these attacks.
What is a Business Email Compromise Attack?
Okay, so what exactly is a BEC attack? Simply put, it is social engineering, primarily via email. More formally it is known as cyber-enabled financial fraud. BEC attacks involve fraud and deception, usually targeting employees with access to company finance processes, who are duped into transferring funds to bank accounts that they think are legitimate but which instead are accounts controlled by the criminal.
A number of specific methods and techniques have been identified:
1. The bogus invoice scheme (AKA the invoice modification scheme)
Often targets a business by leveraging their relationship with a longstanding and therefore trusted supplier. The business receives what appears to be a legitimate request, via email, fax or telephone call, to change the payment destination for the supplier. Invoice payments are made to what turns out to be a fraudulent account in the control of the criminals.
(Click on image to see it in full)
2. Account compromise
A similar scam to the first, with this attack the cybercriminal compromises an employee’s email account. That account and the email contact list it has access to, is used to contact customers stating that there was a problem with their payment and requesting they re-send payment to an alternate account (one controlled by the cybercriminal).
(Click on image to see it in full)
As IC3 notes in a Public Service Announcement, “this type of attack is more common with smaller businesses or companies with a small client base” as these businesses are more likely to manage their billing via email.
3. CEO Fraud
This attack involves the cybercriminal masquerading as the CEO, CFO or other senior executive. Their email account is compromised or spoofed and an email sent from the executive’s email address to an employee able to process wire (bank) transfers, instructing them to send funds to an account controlled by the cybercriminal.
(Click on image to see it in full)
Often these emails are expressed as an emergency, that the transfer is urgently needed and highlighting the consequences of delaying; all to discourage the employee from pausing to verify the request or seek authorisation.
4. Attorney or lawyer impersonation
This is another impersonation attack that relies on the inherent helpfulness of people, especially when faced with an apparently urgent request. In this case, the criminals claim to be a lawyer or representative of a law firm handling a matter that is time sensitive or confidential. Victims are encouraged to act in secret, sending funds without mentioning it to anyone else.
Attacks often take place at the end of the working day or week, creating further pressure on the victim to act quickly to transfer funds as the fraudster’s request.
(Click on image to see it in full)
IC3 identified a particular variation of this attack during 2017. Scammers targeted the parties involved in real estate transactions, including buyers, sellers, agents, and lawyers. In these examples, the fraudulent request seeks to change the payment type (such as from cheque to electronic transfer) or the account to be paid.
A New York State Supreme Court judge was reported as having lost over $1M of closing costs for an apartment when attackers impersonated her lawyer.
5. Data Theft
Of the attacks discussed, this is the only one that doesn’t directly seek monetary gain. Instead it follows the same approach as the CEO Fraud leveraging social engineering techniques to target specific employees (such as HR or other roles with access to personally identifiable information (PII)) requesting that they send the PII of other employees.
This attack can often be the precursor to the other attacks noted above, seeking information that may help them better impersonate a legitimate email request or to compromise a target email account.
(Click on image to see it in full)
Tactics that cybercriminals employ for successful Business Email Compromise Attacks
As can be seen from the explanation above, the success of a typical BEC attacks primarily relies on fooling people. Let’s review some ways that attackers maximise the success of their BEC attacks:
There are a number of ways that the cybercriminal can deceive the victim into thinking that the email request they have received is legitimate. The simplest approach is sending the email with a display name similar to that of the party they are impersonating. People often rely only on the display name (rather than the underlying email address) when checking the identity of the sender.
The cybercriminals may also use email domain spoofing – that is forging an email from a legitimate sender email domain – or take it one step further by registering a new domain name that is a ‘look-alike’ for the sending domain they are attempting to impersonate, such as “@your-bank.online” as opposed to “@your-bank.com”.
This can significantly increase the attack’s success especially as this new domain is completely under the cybercriminal’s control so they can tailor everything from the email account, the display name, format and content to closely match what the targeted individual’s expect.
Conducting extensive research
With its potential to be highly lucrative, the one thing the criminals give plenty of time to is ‘preparation and intensive research’ – after all they want to ensure that they are believable to the target victim.
So, the first thing that they will set about doing is trying to figure out which employee that they should impersonate to maximise success (for illustration we will use the CFO but it could equally be the trusted supplier).
The attacker will deploy multiple social engineering techniques to learn as much as they can about the CFO which could include calling the company to try and attain his/her email address if they can’t find it online, using information on personal and business social media sites such as Facebook and LinkedIn and carrying out extensive research about their interests etc.
The Data Theft method described above may also be deployed. This information will all help the attacker either to compromise the CFO’s email account and/or to better impersonate the CFO.
Going after a less senior member of staff
In addition to leveraging most people’s inherent friendliness and desire to help others, especially when the request is perceived to be urgent, the cybercriminals will also target more junior members of staff who may be more likely to fear doing the wrong thing or upsetting a more senior member of staff such as the CFO.
Steps your Organisation can take to Protect against an Email Compromise Attack
Now that we have illustrated the types and techniques of BEC attacks, it’s time to look at some ‘preventative actions’.
Awareness and Training
Understand the threat:
- Be aware that the criminals do not care about the size of the companies they attack – a small business is no safer than any other. For the fraudster it’s about the number of victims not the size.
- The fraudsters are not highly technical, they don’t need to be. Rather they leverage the way we do business now (e.g. corporate webmail), the corporate information made freely available on social media and company websites and social engineering techniques to maximum effect.
Train staff on what to look out for and how to recognise attacks:
- Make them aware of the types of attacks or requests that fraudsters employ and that sender’s emails can be spoofed.
- Train them on the red flags to watch for – such as requests calling for urgency or secrecy – and to be wary of any out of the ordinary requests or even just changes in the sender’s writing style.
Make sure all parties are aware of and adhere to ordering, invoicing and payments processes:
- Make sure staff are aware of, stay updated on and adhere to customers’ and suppliers’ habits and processes.
- Educate customers and suppliers on the established processes and to query any deviation from the norm.
Train staff to report suspicious requests or activities:
- Make sure staff know to query or seek verification of requests they think are suspicious.
- Staff should know to immediately report suspicious requests to team leaders or managers.
- All suspect emails or requests should be reported, it may be the fraudsters ‘testing the water’ or trying new techniques.
- Assess the potential risk, consider whether action to update secure measures is needed and/or warn staff of new threats or attack techniques.
Policies and Procedures
Develop and adhere to robust processes:
- Have established order, invoicing and payment processes.
- Keep a record of payment and bank account details for all suppliers.
- Always check order details, confirm the validity of the customer, verify the information on invoices before transferring any funds.
Limit the risk of one staff member making an error:
- Make sure processes segregate duties and authority so no one person can set-up new payments or change payment location/destination without verification by someone else.
Double check before sending any monies:
- Verify payment or bank details against those on record.
- Use ‘out of band’ verification – use another communication channel, such as a telephone call to a person/number already on record, to verify requests or transaction details received via email.
Reduce risk of exposure of sensitive company information and compromise of corporate email accounts:
- Define policies and procedures for email and social media use, not just for financial transactions, to instil good behaviours, e.g. for company email use.
- Establish acceptable use policies for social media and for use of company systems outside of the office.
Technical security measures
Use the capabilities of email security systems to enhance staff awareness and help them spot potential attacks:
- Scan inbound emails to limit the number of malicious, spam or phishing emails received by staff.
- Automatically flag emails that have domains similar to the company email (e.g. legitimate email is “@my-company.com”; flag email of “@my_company.com”.
- Automatically flag emails where the ‘reply’ email address is different to the ‘from’ email address; a sign of email spoofing.
- Colour code or add a banner to distinguish emails received from outside the company from those sent internally.
Take steps to address the risk of single factor authentication for corporate webmail:
- Consider implementing multi-factor authentication for remote email access. This addresses the risk of the cybercriminal gaining access to an internal email account (e.g. of the CEO) simply by compromising the password.
- If multi-factor authentication isn’t possible, make sure password policies require strong passwords that are regularly changed and that lock out the account after a set number of unsuccessful attempts.
Implement security measures to address mobile risks:
- Mobile devices may be lost, stolen or connected to insecure public Wi-Fi networks. Minimise the risk of attack and compromise of company email and systems by implementing controls such as multi-factor authentication for all mobile and remote workers.
Be Prepared to take action
Periodically test both awareness and readiness:
- Carry out social engineering tests or ‘fake attacks’ to see whether awareness raising has been effective, if procedures are adhered to and whether staff are confident enough to raise their concerns about suspicious requests.
- Make sure your incident response plan and testing of that plan includes these types of attacks; victims need to be able to react quickly.
Inform and report: it’s important to take action as soon as the attack and fraudulent transfer is identified:
- Through quick response upon detection it may be possible to track down, recall and/or freeze the funds.
- Immediately contact your financial institution.
- Contact the appropriate national fraud reporting body;
- Save all messages, emails and other evidence, such as IP addresses of the attackers, associated with the incident.
As we said earlier in this article, BEC attacks are reliant on social engineering. Therefore, to avoid becoming another victim;
- It is vitally important that all staff (existing and new starters) are aware of their role in protecting the business from BEC attacks.
- Make sure staff are made aware of the latest techniques being used by fraudsters, what to look out for, how to report an attack and, most importantly, are actively encouraged to question everything that deviates from the norm or is any way suspect (even if the email request comes from the CEO).
- ‘Prevention is better than cure’ and ongoing training and awareness is imperative to develop good security habits and reduce the chances of a successful attack.
If you are a merchant that requires technical or PCI DSS help, please click here