Is your organization ready to combat Business Email Compromise (BEC) attacks?
Business Email Compromise (BEC) attacks are a type of phishing attack where cybercriminals send emails to targeted personnel posing as fellow employees, managers, retirees, or contractors, in an attempt to establish a trusted relationship or take advantage of one that already exists. Once hackers make a connection, they exploit that trust to extract sensitive financial information, re-route vendor payments, send payroll direct deposits to an account they control, and other such nefarious activities. If the hackers can compromise an email account of someone within the organization, gaining access to their business contacts and other sensitive data, they use those resources to launch additional attacks against the company, its customers, or its business partners.
Business email compromise attacks affect commercial and governmental entities as well as non-profits. In December 2020, for example, hackers targeted and compromised the affordable housing organization One Treasure Island through a 3rd party bookkeeper. They inserted themselves into an email chain, pretended to be associated with the non-profit, and within a month, siphoned $650,000 from the organization.
BEC attacks are only increasing in frequency and complexity as attackers expand their strategies to exploit remote work tools and platforms now common in businesses. Given that the number of attacks and the amount of money stolen continues to rise, it’s more critical than ever that organizations adopt plans, policies, and training to combat such attacks.
Stay on top of Business Email Compromise attack stats and trends.
The FBI’s annual Internet Crime Report for 2021 showed that BEC attacks were at a record high for reported financial losses, accounting for approximately $2.4 billion USD, up 28% from 2020. One area pushing that growth, as reported by the Internet Crime Complaint Center (IC3), is hackers’ use of virtual meeting platforms to target their victims. In those attacks, hackers use compromised corporate email accounts to schedule virtual meetings with other employees, usually concerning things like payroll, vendor payments or other financial transactions. When starting the virtual meeting, the hackers will use a still image of the targeted executive they are impersonating and disable their video. Then, blaming “technical difficulties,” they will proceed with the meeting and give employees instructions to initiate wire transfers or other transactions to accounts they control. Once the transactions are completed, the hackers will quickly transfer their ill-gotten gains to hard-to-recover cryptocurrency.
BEC scams involving gift cards have been used for years. According to information security training provider KnowBe4, in recent years these are even more popular than scams utilizing wire transfers. In many cases where gift cards are involved, the scammer will impersonate a high-level executive within an organization to ask an employee via email to purchase gift cards from well-known stores. A typical employee, understanding that their boss doesn’t have time to run trivial errands, may not hesitate to follow such instructions. While gift card scams do not yield the sizable monetary rewards of the more complex scams utilizing wire transfers, they are far simpler and thus remain a favorite among cybercriminals.
While we’ve focused the discussion here on compromised corporate email accounts, BEC scams can also utilize free email accounts – an unlimited, free and plentiful resource. In 2020, for example, free email accounts were used in more than three-fourths of BEC attacks, and Gmail accounts were the most popular, accounting for 60% of those targeted.
Prevent BEC attacks with employee training, policies & procedures.
The first step to preventing BEC attacks (and other types of attacks) is to implement basic security practices, including spam and malicious email filtering, multi-factor authentication and the like. It’s also a good idea to implement external email notifications that place a banner at the top of any incoming emails originating from outside the organization. This make it easier to identify people who are using slightly altered email addresses to pose as an insider.
Technical controls can be very effective at weeding out potentially dangerous emails, and blocking identified scammers should be part of your security practices. That said, a BEC attacker’s ability to easily obtain a new, free email account at will makes it that much more difficult to prevent those messages from reaching the intended recipients. The emails originate from valid domains and often haven’t been used enough to be tagged by filtering systems as potentially dangerous. So, even with the best technical protections in place, technology alone won’t solve the problem entirely.
Given that the ability of email security systems to identify and block BEC messages is limited, organizations also must rely on the human in the loop as the last line of defense. There are basic email security practices and principles that must be addressed in your organization’s IT security training program, including:
- avoiding clicking on links in suspicious emails;
- avoiding downloading attachments in suspicious emails;
- carefully examining the sender’s email address for any inconsistencies;
- being suspicious of emails asking to complete unusual tasks or requests; and
- being wary of any messages conveying a sense of urgency to take some action.
Beyond those basic measures, we recommend training on best practices for email handling, such as:
Emails requesting fund transfers or account routing changes should be carefully scrutinized, reviewed for any irregularities, and subjected to a verification process. Any request to redirect vendor, customer, employee, retiree, or beneficiary payments – or really payments of any kind – should follow a verification process that employees have been trained to utilize. Employees should verify such requests through a method separate and apart from the original request. This could include verification by phone using a known valid number rather than one provided in the suspicious message. Consider adding personnel to the verification process so that the responsibility is shared, and no single person can trigger a catastrophic event.
- Client Relationships
Your employees should take time to learn and understand the standard practices of your customers and question anything that seems even the slightest bit out of the ordinary. Encourage them to be extremely observant and not hesitate to contact customers directly (and separately from the email of concern) if anything seems suspicious. Your customers will appreciate this level of caution and concern.
- Simulation Training
Simulation training, which best utilizes a third-party security vendor, is one of the most effective training methods. By utilizing a third-party that is unknown to your employees, the simulation not only is more realistic, but it can help overcome internal biases and more effectively identify weaknesses that internal resources might miss. Such third-party tests themselves can be an incredibly effective corrective measure, too—employees who fail them will become much more careful and alert to future threats. Such simulation events will track your employees’ responses to allow you to get a baseline, identify areas that need further training, and allow you to more effectively measure the long-term progress of your organization and your individual employees.
Limit what you share publicly to fend off business email compromise attacks.
As was the case with the non-profit attack cited at the beginning of this article, your organization may be providing too much data to possible attackers. Listing employee names, departments, job titles, and direct contact information on your company website is not a good idea. You not only make your organization a target, but you also provide the attacker with ammunition. They will know who handles payments and have names of company managers to impersonate when trying to convince a target to act. If you also include names and contact information for affiliates, customers, and/or contractors, you’ve made the attacker’s job easier still and increased the number of potential targets. Make sure you are not providing cybercriminals with the information they need to launch their attacks.
Fight BEC attacks with technology and humans.
No combination of technical controls will prevent your organization from becoming a victim of a BEC attack – the human element is still critical, and training is essential. Considering the rise in the number of BEC attacks successfully perpetrated and the increase in the average amount of monetary loss per attack, failure to focus on awareness and prevention could prove very costly. Your employees will need to go beyond what they learn in basic email security training and know the procedures to follow if they suspect an attack is underway. Including simulation training will raise the level of awareness regarding phishing and BEC scams and condition your employees to react promptly and effectively.
BIA has been keeping client data secure for two decades by keeping our employees informed, aware, and equipped with up-to-date training. For help with any of the safeguarding tactics listed above, or if you need immediate assistance with a data breach due to a business email compromise (BEC) attack, we invite you to reach out today.