The FBI recently issued a warning to be on the lookout for business email compromises (BECs). Also known as “Man-in-the-Email” scams, BECs are sophisticated social engineering exploits in which the attacker spoofs a corporate email account or uses a lookalike account to trick targets into sending money to the attacker’s bank account. Organizations that work with foreign suppliers and regularly transfer funds electronically are prime targets because the laws in many foreign countries are very lax regarding computer crime. BEC attacks generally require more time and effort than other types of phishing exploits. However, they are proving to be a very effective method for cybercriminals to scam unsuspecting victims.
How a Business Email Compromise Works
BECs are a form of phishing attacks, but unlike traditional phishing attacks which target a wide audience, BECs generally focus on employees with authority to make or approve financial transactions. Cybercriminals start by researching information about the target organization from a variety of sources such as studying recent news about the company, monitoring the latest press releases, and researching targeted employees on social media sites to gain information they can use to make their attacks more convincing.
Once the attacker has finished researching the target organization, they use a zero-day or close to zero-day attack and traditional phishing tactics to trick or coerce the intended victim into providing their login credentials. Then they send an email message from the compromised account using one or more of the following tactics:
- Asking the finance department to make a wire transfer payment to a supplier as soon as possible to settle a legal dispute or pay for an overlooked or past-due bill.
- Notifying the finance department that the payment location for an invoice coming due has changed to a new account which is owned by the scammer.
- Invoices are sent out to customers alerting them there was a problem with their payment and they need to resend it to a different account.
There are variations on these tactics where the attacker uses the spoofed account to request sensitive information, such as social security numbers or W2s, that can be used in subsequent and more damaging cyber-attacks.
The phony requests often include language that the transfer is time sensitive and confidential to prevent the target from following up and confirming the legitimacy of the transaction before the transfer is complete. Because the request comes from a valid company email account and contains insight the attacker learned about the company’s suppliers and disbursement policies, the payment is processed and the money is transferred to the attackers account with no questions asked. The transaction appears to be legitimate, so it can be months before the theft is discovered, if it is ever discovered, by which time the attacker has drained and closed the account.
Preventing Business Email Compromise Attacks
Without good threat intelligence, it can be difficult to defend your organization against BEC attacks. They don’t involve malware, so antivirus and email filters rarely thwart BEC attacks. Requiring multi-factor authentication for logging in to email makes it much more difficult for cybercriminals to spoof company email accounts and use them to launch BEC attacks. However, the best defense is training and awareness. All your employees, especially your finance staff, need to be educated on these types of attacks and trained to respond to them effectively, including:
- How to spot a phishing attack and what to do if they receive suspect emails. Provide awareness training tips and examples of phishing emails that demonstrate exactly what to watch for and how to treat unsolicited email from unknown senders.
- Confirming email requests from C-level executives requiring an urgent payment outside of the normal approval process and to a different bank. A multi-step authorization process for disbursing payments should be implemented that doesn’t rely solely on email for invoice approvals.
- Verifying requirements received via email from vendors before wiring payments to ensure they are legitimate. If they are different than what has been done for this vendor in the past, call them and ask them about it. Do not use the phone number on the invoice!
BEC attacks aren’t going away any time soon. Experts project over 9 billion dollars will be lost to BEC attacks in 2018 alone. If you haven’t done so already, now is the time for your security office to start working with the finance team to get them properly educated and aware of how to spot and stop BEC attacks.