The Rising Threat of Business Email Compromise (BEC) and How to Stay Safe
Also, a preview of what Heimdal Security is doing about BEC attacks
Have you heard of the rising cyber-threat, business email compromise (BEC)?
The term covers a wide variety of malevolent behavior, but all forms of BEC have one thing in common: they need to get access to a business email account or to fake it.
In some cases, the BEC practice can refer to malicious actors spoofing or hacking into your business email account, in order to send fraudulent emails to your colleagues, employees or business partners.
In others, they could be spoofing or hacking into the business email account of a partner, in order to send you emails and gain an advantage from you.
SECURE YOUR ONLINE BROWSING!Get Thor Foresight
In all cases, whenever malicious third parties can manage to compromise a business email, they will work to make it worth their time, and extort the maximum amount of money and data that they can get their hands on.
Business Email Compromise is a type of threat which can wreak havoc among companies big and small, with global losses amounting to over 12 billion U.S. dollars between October 2013 and May 2018, according to official FBI data.
Here’s how it works, how you can take the first steps to protect yourself, and what we are doing to help.
How Does Business Email Compromise Work?
First, let’s set a bit of context.
In July 2019, the city of Atlanta lost over $800,000 just because of two simple emails from scammers. Using rudimentary phishing techniques, the fraudulent party simply got the city administration employees to wire two huge transfers into their accounts. In our experience, BEC fraudsters have begun to target institutions more and more, precisely because their awareness of Business Email Compromise is lower, and their defense systems tend to be underdeveloped compared to those of businesses.
In 2017, over 77% of all companies experienced fraud via a BEC attack. Since Q4 2017 and Q4 2018, there’s been a spike of 476% in all business email compromise attempts, according to Proofpoint. That’s a pretty explosive growth rate and it’s clearly a growth fed only by how well these tactics work.
In the autumn of 2018, the Australian authorities also reported noticing a significant spike in all business email compromise incidents. In one case, a business owner lost $40,000 by paying a fake invoice to a supplier whose account had been compromised.
Some malicious hackers behind these attacks, like the London Blue group, are continuously specializing in perfecting their technique. Recent March reports indicate that BEC attacks may be moving to mobile lately, under the guise of SMS texts. In any case, the market for BEC opportunities remains ripe and will probably continue growing in the future, since other types of cyber attacks are costlier and require more technical knowledge than the basic BECs.
So how do BEC attacks work? Well, like all social engineering attacks, they rely on the human factor in order to be successful. This means that the innate human tendency to be a social creature is what is exploited here.
Because people have an innate desire to be helpful and to prove one’s usefulness, they are likely to fall victims to BEC attacks. The desire to say ‘yes’ to a request overrides the desire to double-check if everything is in order with that request in the first place.
The Main Types of Business Email Compromise
BEC attacks can come in many forms, and the attackers behind them can have many targets, from your data or money to simply causing you reputational damage. Here are the main types of business email compromise that you need to be aware of.
#1. Internal account compromise
This first type of BEC is also the most straightforward to understand: it’s when hackers manage to log in fraudulently into one of the employees’ business email. Either by credential stuffing, by phishing or spear-phishing techniques or even through insider threat, sometimes an employee’s account can get hacked.
From thereon, hackers can have a field day wreaking all sorts of havoc inside your company. From sending themselves money to stealing records, important data (including intelligence to be sold to competitors) or the credentials for more inside accounts, there’s plenty of harm to do.
It can even get pretty sophisticated from a technical standpoint. Security researchers have uncovered a trojan (Emotet) that exfiltrates full emails instead of just email addresses when it manages to infect a machine. That means it can then send you a reply email containing the entire archive of replies from that conversation, making it appear super-legit.
#2. Joe Job
A so-called joe job is when hackers hack into your email (or just imitate it by spoofing) in order to send bad emails from it to third parties. It’s most often used for propagating spam, or for sending out defamatory messages of the target (the email domain which is being used or spoofed).
The goal of the attackers is that the people receiving the spam messages report them as spam, effectively putting your domain on a blacklist, or that they cause reputational damage. For example, just think of how people would react if they received emails with inappropriate content which seem to come from you. Few of them would stop and think that maybe your address has been hijacked in a joe job attack.
The name of this type of business email compromise attack comes from a security incident whose target was the webmaster Joe Doll, of joes.com, in 1997. When one user’s account was removed on the grounds that it was sending out spam, the former user retaliated.
He sent out another spam message with the ‘reply to’ header forged to make it appear the email was coming from the webmaster. This resulted not just in making people angry, but also got the domain itself into a series of denial-of-service responses, almost taking it down.
Today, when the technique is used, the hackers usually send out messages containing the Nigerian prince scam or some other well-known spam text, but putting in your contact details as indicated for replies.
#3. CEO fraud
In this type of BEC, the hackers don’t even have to be very tech-savvy or to actually hack into your systems. They can just send you an email from an address similar to the actual email of your CEO or another high-ranking executive within your company.
Most of the time, people don’t really double-check the spelling in an email address, especially when it seems time-sensitive to deliver a response.
Usually, these emails ask for your immediate assistance with a sensitive matter. Since people are willing and eager to help others, especially their boss, they provide the hackers with the data they’re asking for, or they make the requested money transfer and so on. Only later they realize something is off.
I wrote about CEO fraud extensively here, so feel free to read more and see how to better protect your business from this threat.
#4. Attorney / Legal Firm Impersonation
In other cases, the malicious hackers pose as the company’s attorney or legal firm, again asking for some sensitive data (information or documents) to be provided. If they obtain them, they can use the info for achieving their final purpose afterward (money or data theft, reputational damage and so on).
In some cases, they don’t even need to impersonate the company’s real legal advice team. It’s been reported that hackers often invent law firms altogether, and people still positively respond to these requests and fall right into their trap.
#5. Fake Invoice
One of the most damaging types of business email compromise is the one where hackers send a fake invoice, either in your name to third parties or in the name of a partner to your payments department.
Hackers tend to monitor a company’s operations for a long time before making their move. They excel at knowing exactly when to send an invoice or from whom, so it would not look suspicious to the people involved. If the email they are using seems legit, only the account where the money is to be sent is different, few employees are wise enough to suspect something’s amiss.
If the people targeted fall for it, the financial damage is already done by the time the fraud is discovered, and there is little chance of ever seeing that money back again. In some rare cases, your bank may be able to annul a transaction and get your company’s money back, but only if you respond to the incident in a very timely manner.
#6. Data theft
Finally, the last form of business email compromise we need to discuss is data theft through a BEC attack. Your company’s data has a high market value when it’s a competitor paying for the intel. If it’s not selling data, the hackers may be after obtaining credentials to bank accounts so they can empty them in a future strike.
In other cases, it may just be a disgruntled former employee who is looking to do some damage (the so-called insider threat discussed above, too). Whichever the case, nothing good will come out of it.
The Essential Steps to Protect Your Company from Business Email Compromise
Sadly, business email compromise attacks cannot be detected by conventional anti-virus solutions, so if you were relying just on that to keep your systems safe, you will need to up your game.
Here’s what you can do starting now.
1. Make sure everyone in the company receives cybersecurity training
As the anti-malware software landscape keeps growing stronger, things are lagging behind in only one regard: as always, the human factor. If it’s becoming increasingly hard to hack into a system via malware in order to steal money or data, why not just rely on human vulnerability in order to obtain them?
In fact, that’s what social engineering attacks are all about: the scheme relies on people’s natural tendencies to be helpful, to respond to urgency, to want to prove themselves, to not question the person in charge and so on. As long as employees within an organization will respond to these queues and triggers, the technical part of the attack just needs to imitate an email. That’s as sophisticated as it needs to be.
You can start taking steps to ensure a better cybersecurity education for your employees with our free cybersecurity course for beginners.
2. Review the company security policy and make sure everyone is aware of it
First of all, if you don’t have a company-wide cybersecurity policy, create one ASAP.
Second of all, don’t leave your existing policy just gather metaphorical dust in a corner: make sure everyone is on the same page with what’s allowed and what’s not, as well as the mandatory steps for each protocol.
Food for thought: do people take devices home for remote work every now and then? Do they have to follow a specific protocol for that? Do you they have limited admin rights for those devices? Do they have to sign off on any set of rules regarding what information security rules they need to abide by?
In most cases, for working roles which are not directly involved with data protection or IT security efforts, a company’s cybersecurity policy is limited to a PDF file dumped on you on your first day of work, among many other similar files and lots of other novelties to distract you. Few people bother reading their companies’ security policies in full, let alone strive to understand and apply their principles.
It’s no one’s fault, but people need a bit of help, so start by making this content friendlier. Then, don’t forget to actively and periodically follow up with new and existing employees to check whether everyone understands the company’s best security practices.
3. Check the validity of all out of the ordinary requests
Warning signs that an email you received might not actually be 100% legit:
- The request is irregular or unexpected in some way. For example, it comes from someone in a position of authority but who doesn’t usually send payment requests, or comes from a partner you haven’t heard in a while, or for a different amount than usual.
- The request includes new payment details (their bank account changed).
- The email address seems a bit off (a typo or a domain that doesn’t exactly match the name of the company you think you are communicating with).
- The email has a sense of urgency: whatever they are asking for needs to be done today, as soon as possible, or threatens consequences if the request is not fulfilled.
Encourage your employees to check for these warning signs. Create a culture of vigilance, where it never hurts to ask other people for a second opinion. Make them feel comfortable to ask the CEO about it directly through a separate channel if they receive a request coming from him or her.
Furthermore, nurture a culture of security protocols with your business partners, too. For example, establish that your contact person for each of them is previously agreed upon and can only be changed through notifications coming through multiple channels. Or whatever else can help both parties streamline their activity while also being sure they’re not being targeted by online criminal impersonation.
What We Are Doing to Help with Business Email Compromise
As mentioned above, the tricky part about BEC attacks is that they aren’t detectable by conventional anti-virus solutions. Luckily, we aren’t a regular anti-virus company either. Since we’re striving to stay on top of the hackers’ game, we thought about what we can do to proactively prevent their plans from materializing.
To help thwart the wave of rising business email compromise incidents, we are working on launching a new module specifically designed to prevent BEC attacks. The module will be available as a standalone product, regardless of whether you opt for our anti-virus (Thor Vigilance) or malware prevention solution (Thor Foresight).
With this new module installed into your company’s systems, you can make sure that all employees within your organization are protected from business email compromise attacks. The module will signal everyone who’s receiving an email whether that email is legit or not, regardless of how correct the email address seems to be.
This way, you can focus on what really drives your business without needing to worry about business email compromise on top of everything.
We’re working hard on this and we can expect the new email safety module to be available soon. We’ll keep you updated here on the blog and via our newsletter, so if you haven’t subscribed yet, do so.