Business Email Compromise (BEC) attacks are on the upswing. Cybercrime caused $3.5 billion in losses in the U.S. in 2019, with BEC attacks accounting for nearly half of that.
Cyber criminals are taking advantage of the uncertainty surrounding the COVID-19 pandemic, too. Invoice and payment fraud attacks increased by more than 75 percent in the first three months of 2020 alone.
While this type of fraud is typically targeted at companies that conduct wire transfers, it can affect any agency or organization. In this blog, we’ll share tips for preventing and detecting business email compromise attacks.
The Background
First, let’s walk through a common scenario where trusting an email can lead to a bad day.
Employees at your company are still working remotely because the office has been closed due to the COVID-19 pandemic. A colleague sends you an email asking you to transfer funds to a new business partner to seal a big deal. The request isn’t out of the ordinary. You’re used to handling last-minute requests and know that time is of the essence to keep the business operational. You’re savvy enough to check that it’s coming from her legitimate email address, and see that the salutation, signature block and writing style all match her usual style. There’s even an inside joke in there about missing your usual office snacks.
What you don’t realize is that your colleague opened an email two weeks ago with a cryptic but realistic message about encryption issues and invalid certificates. This email tricked her into giving up her account password to cyber criminals, though. They’ve been reading her old and incoming emails for weeks. They’ve studied her writing style, work schedule and how money moves around in your company.
At just the right moment, while the physical office is still closed and things are far from normal, they’ve sent a perfectly crafted message asking you to wire some money to a bank account they control. However, you don’t know that this email is coming from criminals and not your colleague. The numbers add up and the attached invoice looks fine. When you reply asking for clarification, they respond right away. Your colleague is out of the loop. Your responses are being sent straight back to the attacker and then immediately deleted from her inbox.
In the most extreme cases, our team has seen these fraudulent conversations and requests continue for months before they’re detected. We’ve even seen instances where cyber criminals go so far as to coordinate with multiple employees to work out details like intra-fund transfers and waivers to forgo standard processes.
How to Recognize and Respond to BEC
Business Email Compromise nearly always starts with someone giving up their password to a malicious actor. Typically, criminals target executives and anyone involved with transferring funds. There’s plenty of information already out there about protecting your password, having different passwords for every service (use a password manager) and how to spot a suspicious email trying to get your password (hint: it may even come from a trusted friend or colleague). Let’s focus on preventing what comes next, once the cyber criminals have compromised the email account.
First, let’s look at detecting the initial logon of a compromised account. You can prevent this first logon by implementing Multi-Factor Authentication (MFA). But what if MFA fails and the threat actors gain access anyway?
Your next line of defense is to detect the first logon, which requires logging and monitoring the authentication requests to your email accounts. Don’t assume auditing is enabled by default – you should check that it’s actually been activated.
Once logging is enabled you can start monitoring for suspicious logins. One example is users logging in from another country (pro tip: Nigeria is a top offender for BEC). If you don’t have the resources in-house to do this type of monitoring, a Managed Security Service Provider (MSSP) can be a great option. For example, here at Motorola Solutions, our advanced ActiveEye security platform uses analytics to recognize abnormal logins based on IP address, source country, device profiles and timing.
Let’s suppose all that has failed. The attacker has gained access and has gone undetected. What happens next? The next move is to create inbox rules to automatically delete received messages that may be fraud-related. That normally means targeting messages with words like “wire transfer,” “payment” and “invoice.” They may also delete messages from specific employees. The purpose of these rules is to prevent the compromised user from noticing the conversations happening behind their back.
How it Works
But how is the criminal reading these messages if they’re being deleted? They generally have two workarounds. First, they can simply look for the messages in the Deleted Items folder. Sneaky. Another option is to set up a rule to forward all new emails to an email address controlled by the attacker. This has an added benefit of giving the attacker continued access, even if the compromised user changes his or her password.
We can detect these compromised accounts by monitoring for the creation of a suspicious mailbox rule or email forwarding rules. For example, one program has a built-in “Low Severity” policy to alert administrators of new forwarding rules. There are a whole slew of tricks you can use to recognize compromised accounts.
Your last line of resistance against BEC is not relying on email for trusted transactions like wire transfers. Make sure your organization’s money-movers understand that email is not a trusted form of communication. This includes anyone involved in coordinating or authorizing where and when funds go – accountants, payroll, human resources, the CFO, CEO and your bank.
Demand a second factor of communication. Since you can’t pop into someone’s office for a face-to-face meeting if the office is closed, use a video chat or, at the very least, a phone call. One of our customers discovered BEC fraud after an accountant called their CEO at a conference asking for the bank account’s time-based PIN code. The CEO was especially confused when the accountant asked why they were in such a hurry to get the transfer done that day!
Summary
Let’s review how you can prevent and detect business email compromise attacks at your organization. Setting up multi-factor authentication for email accounts can greatly reduce your risk. Make sure logging is enabled so you can monitor for suspicious logins and monitor your accounts for new inbox rules, especially ones with words like “invoice,” “payment” and “wire transfer.” And, most importantly, don’t trust email for coordinating fund transfers. Always pick up the phone and double check, have a face-to-face or video call or implement a more rigorous process. It’s better to be safe than sorry.