Cyber Risks: Business Email Compromise

BEC attacks usually involve social engineering techniques. Most often, a cybercriminal uses stolen email credentials or a spoofed email address that looks like a trusted address. The goal is to trick an employee into bypassing normal procedures to steal money or gain access to valuable assets. The cybercriminal may steal funds, by misdirecting electronic payments, or steal sensitive data, such as tax or pay information. Or they may convince the employee to open a malicious link or attachment, give up a password, or approve access. We provide clients with the experience, training, and technology resources needed to reduce their risk of financial or data loss from a BEC.

How BEC occurs

Spoofed email

A cybercriminal uses a phishing email that looks like it comes from a trusted address.

Domain spoofing

A cybercriminal creates a fake website or email domain to impersonate a trusted business or individual. Typically, the domain appears to be legitimate at first glance, and the differences may be subtle and hard to spot.

Stolen email credentials

Using stolen email credentials, the cybercriminal can view all conversations in the inbox, making impersonation easier.

Monitor communications

With access to an email inbox, the cybercriminal can easily research other employees and monitor ongoing conversations, particularly around invoices or payments.

Conceal activity

The cybercriminal can also take steps to hide their activities, such as setting up forwarding rules so that the user whose credentials have been stolen never sees certain conversations in the inbox. Or the cybercriminal may move the conversation to a different email inbox.

Exploiting the victim’s trust

Having established trust, the cybercriminal can encourage the user to bypass normal procedures and security through a variety of social engineering techniques.

The employees targeted in these attacks are often, in HR or finance, particularly in smaller organizations.

CEO fraud

Posing as the CEO, the cybercriminal instructs the employee to make an immediate payment because of a confidential transaction, such as an acquisition, or to purchase gift cards.

Fraudulent instruction

Posing as a vendor or supplier, the cybercriminal instructs the employee to change payment instructions for an electronic payment, so it goes to an account controlled by the cybercriminal.

Professional services firms are particularly at risk for incidents where the cybercriminal poses as a party in real estate/property sales or other transaction in order to misdirect payments.

Invoice manipulation

The cybercriminal may pose as a vendor or supplier and send fraudulent invoices to misdirect payments.

Payroll redirect

The cybercriminal instructs an employee in HR to change bank deposit instructions for employee pay.

Loan fraud

The cybercriminal may impersonate several employees and subsequently take out several large loans in their name, with losses potentially in the six-figure range.

Other common forms of BEC include urgent requests to send sensitive data, such as employee tax statements.

How to protect against BEC

Employees are the first line of defence

Train your employees to recognise and resist attempts at BEC, look carefully at unusual requests, use out-of-band verification, and resist the ways cybercriminals try to overcome your multi factor authentication (MFA).

Verify requests

Train employees on your procedures for authorised requests. Requests to change payment instructions or send sensitive data should be checked using out-of-band verification: don’t trust the contact information the cybercriminal provided.

Avoid password recycling

Train employees on good password practices, including not reusing passwords for different accounts.

Phishing-resistant MFA

Train employees to avoid social engineering attempts to overcome MFA, such as multiple requests to approve access (MFA fatigue).

Recognise phishing emails and BEC attempts

Train employees to detect spoofed domain names and not to be confused by subdomains. Be alert for emails making unusual requests, particularly with a sense of urgency or secrecy.

Improve your email security

Securing email accounts and better phishing detection will help protect you against BEC

Phishing-resistant MFA

Not all forms of MFA are equally secure. MFA should be configured to protect against social engineering attacks. While one-time passcodes and push-based notifications are not as resistant to these attacks, FIDO2 hardware tokens have been more successful. Block legacy email protocols that don’t support modern authentication.

Reduce exposure to phishing emails

Implement measures that could change the way suspicious emails are handled (SPF, DKIM, DMARC are email security standards that can help to mitigate spam and phishing attacks). Consider blocking email from new domains, which may have been set up by cybercriminals for phishing.

Patch on-premises email servers to deprive cybercriminals of any low-hanging fruit.

Actively monitor for account takeover attempts

Missed payments may not be noticed for 45 or 60 days, so it’s important to look for signs early.

Restrict login attempts

Set an alert for a number of unanswered MFA prompts to prevent MFA fatigue. You can set an access policy to lock after 5 or 10 unanswered attempts.

Monitor changes to logging and configuration

Unusual changes to existing rules or new external forwarding rules may be early signs of activity related to BECs.

How to respond to a BEC incident

We encourage Beazley policyholders who experience an actual or suspected incident to notify us.

Preserve evidence for investigation

Place a litigation hold on the targeted mailbox to preserve the mailbox content. Make sure logging and log retention options are configured correctly.

Secure the user’s accounts

Turn on MFA if it was not enabled. Reset passwords for all accounts used by the targeted user on their work device, whether personal or work.

Look for other activity

Check the list of registered devices associated with the targeted user; the cybercriminal may have enrolled an additional device for MFA acknowledgements. And look at activities in messaging applications such as Teams, Slack, or Gchat where additional sensitive information may have been shared.