How to protect your organization from a Business Email Compromise (BEC)?
BEC or Business Email Compromise (also known as the man-in-the-email attack) is a phishing attack in which financially-motivated adversaries trick unsuspecting executives and employees into making payments or sending sensitive data to fraudulent accounts. The criminals behind BEC send convincing-looking emails that might request unusual payments or contain links to malicious websites. Some emails may contain viruses disguised as harmless attachments, which are activated when opened. BEC is a threat to all organizations of all sizes and across all sectors, including non-profit organizations and the government.
In this article, you will read about
What is Business Email Compromise?
How does a typical Business Email compromise work?
Techniques for Business Email Compromise
Specific Types of BEC
Tips and best practices to minimize BEC attacks’ frequency and impact
What is Business Email Compromise?
Business email compromise (BEC) is a specific type of phishing attack, a spear phishing attack to be precise – with the objective being to trick employees into performing fraudulent actions, typically sending money to the attacker. Unlike standard phishing emails that are sent out indiscriminately to millions of people, BEC attacks are crafted to appeal to specific individuals and can be even harder to detect. Attackers accomplish this by using a variety of techniques that manipulate users into sending money or data. BEC has become one of the most damaging and expensive types of phishing attacks in existence, costing businesses billions of dollars each year.
These recent statistics from the FBI’s 2020 Internet Crime Report state this horrendous picture:
· In 2020, the FBI Internet Crime Complaint Center (IC3) received nearly 20,000 complaints about the Business Email Compromise.
· Reported losses due to BEC increased from $1.29 billion in 2018 to $1.86 billion in 2020.
· The IC3 received more than 241,000 complaints of phishing and related attacks in 2020, a 110% increase from 2019.
Business Email Compromise attacks are notoriously difficult to prevent. Perpetrators rely extensively on social engineering techniques and impersonation to trick people into acting on the attacker’s behalf rather than employing malware. Traditional threat detection solutions that analyze email headers, links, and metadata often miss these attack strategies.
How Does a Typical BEC Attack Work?
In a BEC exploit, the attacker typically uses the identity of someone on a corporate network to trick the target or targets into sending money to the attacker’s account. The most common victims of BEC are usually companies that utilize wire transfers to pay international clients.
Phase 1: Research and Identify Targets
BEC attacks are usually focused on executives or employees authorized to make payments on behalf of their organizations. Common BEC targets include CEOs, lawyers, and accounts payable personnel. Scammers research their targets and figure out how to fake their identities.
Attackers perform reconnaissance over days or weeks, mining data from websites, social media, and the dark web. They build a profile of their target organization and then zero in on their victims. Sometimes they create fake websites or even register companies with the same name as yours in a different country.
Phase 2: Set Up the Attack
Unlike mass phishing emails, BEC attacks come across as genuine and legitimate.
Scammers prepare for the attack by performing activities such as spoofing email addresses or creating lookalike domains, impersonating trusted vendors, or taking over a legitimate email account of the victim’s manager or colleague. Once they have access, scammers monitor emails to figure out who might send or receive money. They also look at conversation patterns and invoices.
Phase 3: Execute the Attack
The actual BEC attack can take place in one email or an entire thread, depending on the adversary’s thoroughness. This communication often uses persuasion, urgency, and authority
to gain the victim’s trust. The perpetrator then provides wire instructions to the victim to facilitate making payments to a fraudulent account.
Phase 4: Disperse Payments
Once the money is wired to the attacker, it is quickly collected and disseminated across multiple accounts to reduce traceability and retrieval chances.
Rapid response times are critical for most cybersecurity incidents, and the same holds for BEC attacks. If organizations are slow to identify a BEC attack that has been executed successfully, it’s unlikely that the money will be recovered.
Although the perpetrators of BEC use a combination of tactics to trick their victims, a common plan involves the attacker gaining access to a business network utilizing a spear-phishing attack in conjunction with some form of malware. If the attacker stays undetected, they can spend time studying all facets of the organization, from vendors, to billing systems, to the correspondence habits of executives and other employees.
At an appropriate time — usually, when the employee being impersonated is out of the office — the attacker will send a bogus email to an employee in the finance department. A request is made for an immediate wire transfer, usually to any trusted vendor. The targeted employee thinks the money is being sent to the expected account, but the account numbers have been altered slightly, and the transfer is deposited in the account controlled by the criminal group.
If the money fraud fails to be spotted promptly, the funds can often be close to impossible to recover, due to any number of laundering techniques that transfer the funds into other accounts.
Business email compromise (BEC) attacks rely heavily on social engineering. Here are common types of BEC attack techniques.
- Domain Spoofing: Email address verification is not built into the email protocol (SMTP) by default. An attacker can fake the display name and sender address of an email to make it look like it came from inside the company or a trusted vendor.
- Lookalike Domains: Lookalike domains are designed to take advantage of characters that can be easily confused. For example, the domains flightcompany.com and fightcompany.com look similar enough that they could fool someone not paying attention.
- Compromised Accounts: If an attacker has access to a legitimate account, they can use it in a BEC attack. This adds a level of authenticity because the email is coming from a trusted address.
- Spoofing email accounts and websites: Slight variations on legitimate addresses fool victims into thinking fake accounts are authentic.
- Spear-phishing: A spear-phishing attack is when an email is believed to be coming from a trusted sender. They then use this trust to prompt victims to reveal confidential information, such as credit card information, to BEC perpetrators.
- Malware: It is used to infiltrate networks to gain access to internal data and systems, especially to view legitimate emails regarding the finances of the company. That information is then used to avoid raising the suspicions of any financial officer when a falsified wire transfer is submitted. Malware also allows criminals to gain access to victims’ sensitive data to expose and/or encrypt it with ransomware.
Though BEC makes up a small amount of all phishing attacks, it has caused a significant amount of losses in terms of interruption to business, loss of data, reduced productivity, regulatory fines, as well as brand damage.
According to the FBI, there are five primary types of BEC attacks, including:
- False Invoice Scam: In this attack, the phisher pretends to be a vendor requesting payment for services performed for the company. Often, this type of attack will masquerade as one of an organization’s actual suppliers and use a realistic template but change the bank account information to an account controlled by the attackers.
- CEO Fraud: CEO fraud takes advantage of power dynamics within a company. The attacker will send an email – supposedly from the CEO – instructing the recipient to take some action. This may be to make a wire transfer to “close a business deal” or send sensitive information to a partner.
- Account Compromise: An account compromise BEC attack takes advantage of a compromised email account within an organization. With this access, the attacker can request invoice payments from customers while changing the payment details to those of the attacker.
- Attorney Impersonation: In this type of attack, an attacker will impersonate a lawyer or other representative from the law firm responsible for sensitive matters. They take advantage of the fact that low-level employees within an organization are likely to comply with requests from a lawyer or legal representative because they don’t know how to validate the request. This approach often makes the request seem time-sensitive and confidential to prevent independent verification.
- Data Theft: BEC attacks are not only designed to steal money from a company. This type of attack targets HR and Finance personnel and attempts to steal sensitive information about an organization’s employees like someone’s schedule or personal phone number. The sensitive information obtained is sold can then be sold on the Dark Web or used in planning and executing future attacks.
Business Email Compromise is critical as Enterprise security is essential, and a compromised email system can seriously damage legitimate business interests. Safeguarding a company’s finances and privacy will not only empower employees but also ensure business longevity.
Tips and best practices to minimize BEC attacks’ frequency and impact.
- Use a secure email solution
Use secure email solution such as Rainbow Secure Business Email (runs on Office 365) which adds BEC prevention features like:
- Advanced authentication options of multilayer password and passwordless login for your email further aided by Smart Multi-factor that stops phishing and automated cyberattacks like brute force, keylogger, stolen password attacks, mitigate cyber threats, cyber risk and account takeover fraud.
- Suspicious attachment scanning before it downloads to your device
- Send and receive encrypted emails
2. Train employees to spot warning signs
Ensure everyone knows how to spot phishing links, domain and email address mismatches, and other red flags. Simulate a BEC scam so people recognize one when it happens.
3. Set security defaults
Administrators can tighten security by opting for DKIM
4. Use a solution that provides Anti-Phishing Protections
Since BEC emails are a type of phishing, deploying email solutions such as Rainbow Secure Email running on Office 365 Business is essential to protecting against them. An anti-phishing solution should be capable of identifying the red flags of BEC emails including bad links.
5. Don’t Rely Solely on Native Email Security
G Suite and Office 365 have improved their native security offerings in recent years, providing better anti-spam and anti-malware protection. However, Rainbow Secure Email and Rainbow Secure Login for Email solutions provides advanced authentication and multilayer security by design and eliminates identity fragmentation by giving one unified login that works with both office 365 and Google Docs. No need to scamper for different login when you get document shared from either platform.
6. Don’t click unnecessary links
BEC attackers do whatever they can to get victims to act before they think, relying on them being too busy to engage with emails rationally. Train users to attempt to read every email with a critical eye to avoid clicking on unscrupulous links.
7. Act responsibly not hastily while transacting
The surface-level nature of BEC attacks means they are here to stay. Organizations and employees need to transform their mindset, processes, and security tools to keep abreast of the growing Business Email Compromise threat.
Rainbow Secure provides world-class cutting-edge Solutions to secure your business email account.
· Advanced authentication options of multilayer password and passwordless login for your email
· Premium login experience on iOS, Android, and Web
· No more long complex passwords
· One unified login for Office 365 and Google Workspace
· Stops automated cyberattacks like brute force, keylogger, phishing, and stolen password attacks
· Mitigates cyber threats, cyber risk, and account takeover fraud
Rainbow Secure has laid benchmarks in providing exemplary login and secure email solutions to businesses such as Certified Public Accountants (CPA) firms, Healthcare Practitioners, Business School, Wellness Startup, E-Commerce Retailers and Retail Business owners where it strengthened business cyber security mitigating cyber-attacks, cyber risk, and account takeover fraud.
Do you have more questions about the Business Email Compromise? Contact us today. Email us at Hello@rainbowsecure.com