BEC is a possibility that you must not overlook!
“Ways to Get Around Spam Filters.” A Google search for that word yields over 6 million results. Since spam accounts for 55% of all email, some of it can get through your spam filter. Company email compromise (BEC) attacks would almost certainly be among those that get through.
A type of phishing attack that targets business email is known as a business email compromise attack. A BEC assault, also known as BEC theft, involves an attacker taking control of an organization’s email account. When the account belongs to a CEO or other high-ranking executive, it’s referred to as whaling or CEO fraud.
Let’s look at an example of how such an attack could play out. Michael works in a multinational corporation’s sourcing department. He’ll have a bad day ahead of him:
Michael’s day began in the same way as any other. He had just returned to his desk with coffee number three, just in time to receive an email from his boss. It was a standard message informing him that he needed to handle a priority bill.
Michael hesitated, despite the mundane essence of the submission. Something wasn’t quite right, and he couldn’t put his finger on it. He came to a halt, thinking that further investigation was needed. The amount was a little more than he normally deals with, but nothing out of the ordinary. He carefully examined the attached invoice, which was the same old shape with the company logo that he had always got. The wire transfer request was sent to the bank that his company used on a regular basis. There didn’t seem to be something out of the ordinary. Michael arranged for the funds to be wired.
Michael was notified later that day that he had been the target of a business email hack attack. The email came from his boss’s account, no doubt. Hackers had gained access to the account. They did their research and used the same bank as Michael’s company to ensure that the invoice was valid. It’s plain to see why Michael set his suspicions aside.
This is an example of a business email hack focused on a real-life attack that occurred last year. At least 12 companies in at least five countries were targeted by three men in Spain. They cheated businesses out of $11 million. Just over $1 million has been recovered so far.
Types of Business Email Compromise
There are many different forms of business email breach — the exact number depends on who you ask and how threats are classified. We’ll categorise BEC attacks the same way the FBI does in this post, and we’ll go through five different BEC scenarios. Keep in mind that many real-world BEC attacks combine elements from several forms.
Business Working with a Supplier
False! The word implies that something is wrong, which is why it is commonly referred to as the “bogus invoice scheme.” The above-mentioned scheme was used against Michael and his real-life counterparts. The invoice appeared genuine because the hackers did their homework to make it look that way. Attackers may collect details at their leisure to make the request seem as credible as possible. The expected goal is normally under pressure to answer within a certain amount of time. As a result, the attackers have a distinct advantage.
In one instance, the perpetrator pretended to be an entire corporation and received more than $120 million as a result of his phish. Facebook and Google were his main goals. Evaldas Rimasauskas set up a business in Latvia with the same name as a manufacturing company in Asia that Facebook and Google used. Then he sent phishing emails to workers who did business with the vendor on a regular basis. Employees were instructed to use a new bank account for wire transfers in the emails.
Rimasauskas’ funds were transferred to his accounts. It was traceable, which was fortunate for Facebook and Google, and the money was eventually recovered. Rimasauskas was recently sentenced to five years in prison, $50 million in forfeiture, $26.5 million in restitution, and two years of supervised release.
Executive Request for Wire Transfer
This form of business email breach is usually referred to as “CEO fraud.” An intruder gains access to a high-ranking executive’s email address. They then pose as an executive and request that an employee wire money. The intruder typically adds a sense of urgency to the message.
Upsher-Smith Laboratories experienced exactly this. The pharmaceutical firm unintentionally passed tens of millions of dollars to hackers on multiple occasions! Over the course of three weeks, nine wire transfers totaling more than $50 million were made. In phishing emails to accounts payable, the attackers pretended to be the company’s CEO, instructing them to make nine fraudulent wire transfers. To avoid accounts payable fraud Upsher-Smith Laboratories could have implemented automation and other cybersecurity measures.
Rather than gaining access to an email address, the attacker may register a domain that is very similar to the company’s name (for example, ibm.com). The email is then sent from that domain, in the hopes that the slightly different domain name will go unnoticed.
Take the word “CEO scam” with a grain of salt. Any high-level executive, director, or manager can be targeted by this BEC assault. BEC fraud is another word you’ll hear.
Fraudulent Correspondence Through a Compromised Personal Email
This form of BEC is designed to get through corporate security systems. Instead of using an executive’s business account, the intruder uses their personal email. They invent a justification for the use of personal email. They could even persuade an employee to use their personal email account. They can invent a justification to do things like buy gift cards as surprise incentives, citing confidentiality.
This form of BEC fraud was used in the 2016 DNC hack. The attackers attempted to gain access to DNC email accounts first. After that failed, they went after personal email accounts. John Podesta’s personal email address was used in a phishing email. The rest is history after he clicked the connection in the email.
Executive and Attorney Impersonation
Employees are motivated to assist in a fund transfer by the use of confidentiality and urgency. After all, if the lawyers were called in, it must be important!
One unlucky CEO lost a million dollars as a result of this company email compromise. He bought property in Belize and paid for it with a wire transfer. Barrow and Williams is the seller’s real estate lawyer. The domain barrowandwillliams.com is used for email addresses at the company.
Unauthorized access to the victim CEO’s email address had been obtained. He found out about the purchase after reading the CEO’s emails. He was aware that the CEO was awaiting guidance about how to proceed with the wire transfer.
As a result, he purchased the domain barrowsandwilliams.com. Did you notice the slight distinction? It’s easy to overlook. The hacker then submitted his own wire transfer instructions using the same domain name as the actual attorney for the seller. The CEO obliged, wiring the hacker over $1 million. The full criminal report contains all of the specifics.
This form of attack is often used as a scout for subsequent BEC attacks. W-2 forms or other personally identifying information about workers are often searched. You should expect to see further attempts to obtain W-2 forms during tax season, since it is a more believable excuse at that time.
In an email, the CEO of Pivotal software was effectively impersonated. It asked an employee to send confidential W-2 details on all employees to the hacker, which he did. Pivotal workers received a not-so-reassuring letter about the attack.
Although no money was exchanged in this business email compromise, W-2 information is useful in a number of ways. A bad guy has the ability to:
- Sell the data on the dark web
- Use the data for identity theft
- Use the data to launch other BEC attacks
9 Ways to Defend Against BEC Attacks
Trust But Verify
Better still, don’t believe something and double-check, double-check, double-check! If you have any suspicions about this, contact the source directly. Never send money to a new account without first making sure it’s valid. Checking an email via email is not a good idea. Pick up the phone and call the source — never depend on a phone number in an email for verification!
Train All Employees on Security Awareness
A variety of vendors provide security awareness training. However, training is just one part of a security awareness programme. Other elements include:
- Promotion — use a range of platforms to promote the security awareness programme, such as posters, newsletters, and webinars.
- Security Ambassadors / Champions — a non-IT or security volunteer who helps to raise security awareness and foster a positive security culture in their department.
Gamification is a term used to describe the addition of a fun aspect to an activity in order to inspire participants.
- A crucial aspect of the security awareness programme is executive sponsorship. Executives must set an example by not only endorsing the initiative but also participating actively in the security awareness community.
- Advisory Board — Security awareness systems benefit the entire organisation and are most successful when marketing, human resources, and other departments other than IT and security are involved.
A security awareness program’s aim is to foster a security-conscious society, making security a natural part of the workday and even at home.
Verify the Site’s Secure and Is Legitimate
If you’re led to a website, look for the lock icon in your browser and make sure it’s using SSL and has a valid SSL certificate from the correct business. For corporate email, use multi-factor authentication.
One of the most popular ways to secure email accounts is to use multi-factor authentication, also known as 2FA. Logging in needs more than just a password. It necessitates both something you know (a password) and something you have (a token) or something you are (e.g., a fingerprint).
Set Email Options to Flag External Emails
If your email system allows it, there are many options for doing so.
- Set a different colour for external emails than for internal emails.
- Add domains to your blacklist that you know are malicious or dangerous.
- Add domains to your whitelist that you know are secure.
- Prompt users to accept or reject emails from potentially dangerous websites.
Use Digital Signatures in Email
The receiver can be assured that the email came from the sender and that the contents have not been tampered with thanks to digital signatures. Certificates are needed for this. Providers such as SectigoStore.com sell them for a low price.
Detect and/or Block Emails from Domains That May be Masquerading as Your Domain
Oracle, for instance, should block orcarle.com. We aren’t in the habit of reading the “From:” line in our emails with caution.
Detect and/or Block Emails That Have a “Reply To:” Address That Differs from the “From:” Address
Most of us don’t read the “Reply to” line as much as we don’t read the “From:” line.
If You’re Being Pressured to Act, Stop and Think!
Take a few moments to pause and consider before taking some action if anything seems wrong or if you’re being pressured by urgent messages. Check to see if it sounds genuine, and if it doesn’t, go back to phase one.
What If I Fall Victim to a BEC Attack?
Here are the three steps you should take, according to the FBI, if the assault resulted in the transfer of funds:
- Contact the financial institution concerned right away.
- If the wire is new, contact the local Federal Bureau of Investigation (FBI) office. The FBI may be able to assist in the return or freezing of the funds.
- Submit a report to the FBI’s Internet Crime Complaint Center (IC3) complaint referral form, regardless of the amount of money lost.
Review the previous section’s recommendations and put any missing safeguards in place. It’s worth noting that none of these acts include assigning blame. Employees would be discouraged from reporting injuries and obtaining advice if they are blamed for BEC attacks. Examine the security awareness training. Positive reinforcement can be used in the process, not just once or twice a year.
Taking the right steps won’t guarantee you won’t be a victim of a business email compromise, but it will dramatically reduce the chances. Over the three-year period from June 2016 to July 2019, the FBI IC3 registered 166,349 BEC accidents, with losses totaling more than $26 billion. As a result, defending against BEC should be a top priority for you.