Business Email Compromise (BEC) attacks are increasing at an alarming rate and look set to continue as a favoured method of cyberattack in the future. In this blog article, Phriendly Phishing’s Exectutive Director, Damian Grace, provides guidance on what you can do TODAY to reduce your organisation’s risk.
Australian businesses self-reported losses of over $98 million last financial year to BEC attacks. These reported losses may even be a drop in the ocean, as actual losses are expected to be much higher, and do not include the cost to the customers of victims, nor the capital and recurring costs of cyber security incident remediation.
What draws cybercriminals to target Australian organisations in this way? Australia’s large number of online transactions, early adoption of emerging technologies and use of software favoured for exploitation by cybercriminals has a role to play, but it is mainly due to the fact that BEC attacks offer a great ROI for cybercriminals; providing high returns – with attacks originating from overseas currently having a low chance of prosecution.
What is a BEC attack?
A Business Email Compromise (BEC) is a form of spear (targeted) phishing that aims to trick employees (generally in finance or HR) into transferring funds into a ‘new’ business bank account (belonging to the cybercriminal) or sharing sensitive information at the request of a cybercriminal impersonating a senior executive.
Cybercriminals use social engineering and/or hacking techniques to compromise legitimate email accounts or spoof (create fake) emails to make them appear to be from a high-level employee, co-worker or supplier. The most commonly spoofed positions are the CEO and managing director, targeting the CFO and finance director (3)
The five common types of BEC attack are:
A scammer impersonates the CEO (or high ranking executives) then sends scam emails trying to get an employee to transfer funds or confidential information.
A scammer impersonates a law firm, or someone from a law firm, usually requesting that funds be transferred into an account to settle an ‘overdue bill’.
A scammer hacks into the email account of a business that has a relationship with a supplier. They then impersonate the supplier and request that ‘unpaid bills’ be paid to a ‘new’ account.
A scammer hacks into the email account of an employee (usually Finance) and contacts customers on the contact list stating a problem with a payment and requesting that payments are made to a ‘new’ account.
A scammer impersonates targeted employees (usually HR) and then sends out requests to employees and executives requesting personal information verification or updates.
Cybercriminals use both a low quality (basic research), high quantity approach, bombarding an organisation with multiple spear phishing emails in the hope that a link will be clicked, and also a high quality (highly researched), low quantity approach, where it is much harder for employees to spot the difference between real and counterfeit emails and the more likely the email will pass spam filters and whitelisting.
A cybercriminal researches their targets using company websites, LinkedIn and social media to learn the names, work titles, email addresses and interests of their targets. Once they’ve compromised their target employee’s email account “they’ll generally wait and observe email communications for at least a month before initiating the attack,” say Shearwater’s Incident Response Team, based on their findings when providing post-attack security hardening services. They’ll look for upcoming travel and events, suppliers and regular financial transactions, the arrival of new starters and key decision makers taking leave in their target department.
Cybercriminals research their targets using social media, in preparation for a BEC attack..
BEC attacks are dangerously effective because they are socially engineered – designed to leverage human nature. They will be addressed from a senior colleague or a supplier, may appear to cc other employees or be a forwarded email, will request actions within the target employee’s normal range of duties and will often display knowledge of confidential company information – all designed to reduce suspicion. Attacks are usually initiated when key decision makers are away from the office, at an inconvenient or busy time and the request is always ‘urgent’ and ‘important’.
There are 2 mechanisms for the delivery of a BEC attack.
A range of tactics are used to make an email appear to be from a trusted source or colleague:
- Using the email header – to make the message appear to have originated from a trusted source
- Using an email address that is almost identical to the address they are impersonating
- Using an almost identical domain name (that the cybercriminal has purchased and configured to look like the company domain.)
A spoofed email may contain a link that will install malware, leading to account compromise.
The attacker’s aim is to gain access to their target employee’s email account. This is commonly achieved using a phishing email which includes a link to install malware, phone-based vishing, or USB drop to trick victims into divulging login credentials or installing malware or keyloggers into their computers or devices. Once compromised, the attacker will monitor the account for opportunities for exploitation; using the account for further research and to send emails to target employees, taking steps to ensure that the legitimate owner of the account is unaware.
What you can do TODAY to protect your organisation
An effective defence from BEC attacks requires a proactive, three-pronged approach, focusing on:
- Employee training
- Updating business policies and procedures
- Selecting and configuring technology
1. Employee training
Ensure that ALL employees within your organisation receive the latest phishing prevention training. For a fast and effective solution, offering an excellent ROI, seek a third-party provider that can deliver a proven, scalable, cloud-based solution that incorporates engaging cybersecurity training and phishing simulations and reporting to benchmark and provide ongoing risk reduction. As BEC attacks generally target CEO, CFO, HR and finance roles, it is imperative that training is prioritised for these roles.
In the interim, advise employees of the tell-tale-signs of a basic BEC attack email. Look out for a combination of:
- A request to change bank account details, make a money transfer or provide confidential information
- A request that is urgent and requests secrecy.
- An email signature that is missing, incomplete or incorrect
- Poor grammar or spelling
If employees receive an email with these characteristics, they should:
- Check the address in the ‘from’ field (is it really from who they think)
- Check with the sender either face-to-face or by phone (using the company directory, NOT the contact details within the email)
- Not open any attachments or click on any links
- Notify their IT department.
Ensure that ALL employees receive the latest phishing prevention training.
2. Update policies and procedures
The following updates to your organisation’s policies and procedures will help to reduce your BEC attack risk and help you to correctly manage phishing emails that reach employee inboxes.
- You may choose to make it mandatory that requests for transferring funds, payment changes or providing confidential information:
- Are not made via email, and/or
- Require a 2-step, or more, verification process, with written approval for large amounts and confirmation face-to-face or via telephone (using an internal phone book, NOT a number in the email)
- Create/update policies and procedures for the safe handling of suspicious emails.
- Create/update policies and procedures for communicating with suppliers.
- Promote file sharing on your organisation’s internal networks to reduce the need to email files.
Ensure that ALL employees are made aware of these changes.
3. Select and configure technology
The following technology solutions will help to reduce your BEC attack risk by blocking or quarantining suspicious emails before they reach employee email inboxes and flagging higher risk emails or content to alert users.
- Implement multi-factor authentication for both employee workstations and remote access, to make it harder for cybercriminals to compromise employee email inboxes.
- Ensure your organisation publishes SenderID/SPF records for their domain and that checks are conducted on emails claiming to be sent from this domain. Request that your suppliers do the same.
- Register domains that vary slightly from your organisation’s actual domain to prevent cybercriminals from being able to do this.
- Implement/correctly configure Domain-based Message Authentication, Reporting and Conformance (DMARC) to enhance Sender Policy Framework (SPF) and/or Domain Keys Identified Mail (DKIM) to enable 2 email authentication technologies on all emails, to identify the sender of a message and:
- Block SPF hard fails (emails verified as not originating from the domain they claim to originate from)
- Block DKIM verification fails – log and investigate and inform the spoofed organisation
- Quarantine and flag to users any SenderID/SPF soft fails
Flags and alerts
- Flag external emails e.g. add [EXT] to the start of the subject
- Set alerts on the creation of mail forwarding rules, or unusually high outbound email volumes.
- Flag emails with extensions that are similar to your corporate email
Software and logging
- Ensure that antivirus software is up-to-date and correctly configured.
- Keep blacklisting and whitelisting up-to-date
- Provide users with the ability to report suspicious emails to IT (e.g. with free outlook add-ins like S.C.A.M. Reporter)
- Ensure that logging is switched on for the email content filter and email servers and that logs are regularly audited. If your organisation is the victim of a successful cyberattack, these logs will enable faster detection and remediation work.
- Provide a safe environment for the IT security team to investigate suspicious emails.
- Provide the ability for file sharing on your organisation’s internal networks to reduce the need to email documents.
If your organisation is high risk, the ACSC recommends the following to reduce the likelihood of a user clicking on a malicious link or opening a spoofed attachment(4):
- Convert attachments to PDF (and quarantine originals)
- Whitelist attachments based on file typing to identify and block spoofed attachments
- Block encrypted attachments
- Replace active web addresses in an email’s body with non-active versions. The user must then copy and paste the URL and will have the opportunity to detect a difference between the displayed and actual URL.
- You may also wish to block any non-authorised third-party email services.
The three-pronged approach above provides general recommendations for reducing your organisation’s risk in relation to BEC attacks.