Cyber Risks: Business Email Compromise
Because business email compromise (BEC) often relies on social engineering, people are as important as technology in preventing losses from BEC.
BEC attacks usually involve social engineering techniques. Most often, a cybercriminal uses stolen email credentials or a spoofed email address that looks like a trusted address. The goal is to trick an employee into bypassing normal procedures to steal money or gain access to valuable assets. The cybercriminal may steal funds, by misdirecting electronic payments, or steal sensitive data, such as tax or pay information. Or they may convince the employee to open a malicious link or attachment, give up a password, or approve access. We provide clients with the experience, training, and technology resources needed to reduce their risk of financial or data loss from a BEC.
How BEC occurs
Spoofed email
A cybercriminal uses a phishing email that looks like it comes from a trusted address.
Domain spoofing
A cybercriminal creates a fake website or email domain to impersonate a trusted business or individual. Typically, the domain appears to be legitimate at first glance, and the differences may be subtle and hard to spot.
Stolen email credentials
Using stolen email credentials, the cybercriminal can view all conversations in the inbox, making impersonation easier.
Monitor communications
With access to an email inbox, the cybercriminal can easily research other employees and monitor ongoing conversations, particularly around invoices or payments.
Conceal activity
The cybercriminal can also take steps to hide their activities, such as setting up forwarding rules so that the user whose credentials have been stolen never sees certain conversations in the inbox. Or the cybercriminal may move the conversation to a different email inbox.
Exploiting the victim’s trust
Having established trust, the cybercriminal can encourage the user to bypass normal procedures and security through a variety of social engineering techniques.
The employees targeted in these attacks are often, in HR or finance, particularly in smaller organizations.
CEO fraud
Posing as the CEO, the cybercriminal instructs the employee to make an immediate payment because of a confidential transaction, such as an acquisition, or to purchase gift cards.
Fraudulent instruction
Posing as a vendor or supplier, the cybercriminal instructs the employee to change payment instructions for an electronic payment, so it goes to an account controlled by the cybercriminal.
Professional services firms are particularly at risk for incidents where the cybercriminal poses as a party in real estate/property sales or other transaction in order to misdirect payments.
Invoice manipulation
The cybercriminal may pose as a vendor or supplier and send fraudulent invoices to misdirect payments.
Payroll redirect
The cybercriminal instructs an employee in HR to change bank deposit instructions for employee pay.
Loan fraud
The cybercriminal may impersonate several employees and subsequently take out several large loans in their name, with losses potentially in the six-figure range.
Other common forms of BEC include urgent requests to send sensitive data, such as employee tax statements.
How to protect against BEC
Employees are the first line of defence
Train your employees to recognise and resist attempts at BEC, look carefully at unusual requests, use out-of-band verification, and resist the ways cybercriminals try to overcome your multi factor authentication (MFA).
Verify requests
Train employees on your procedures for authorised requests. Requests to change payment instructions or send sensitive data should be checked using out-of-band verification: don’t trust the contact information the cybercriminal provided.
Avoid password recycling
Train employees on good password practices, including not reusing passwords for different accounts.
Phishing-resistant MFA
Train employees to avoid social engineering attempts to overcome MFA, such as multiple requests to approve access (MFA fatigue).
Recognise phishing emails and BEC attempts
Train employees to detect spoofed domain names and not to be confused by subdomains. Be alert for emails making unusual requests, particularly with a sense of urgency or secrecy.
Improve your email security
Securing email accounts and better phishing detection will help protect you against BEC
Phishing-resistant MFA
Not all forms of MFA are equally secure. MFA should be configured to protect against social engineering attacks. While one-time passcodes and push-based notifications are not as resistant to these attacks, FIDO2 hardware tokens have been more successful. Block legacy email protocols that don’t support modern authentication.
Reduce exposure to phishing emails
Implement measures that could change the way suspicious emails are handled (SPF, DKIM, DMARC are email security standards that can help to mitigate spam and phishing attacks). Consider blocking email from new domains, which may have been set up by cybercriminals for phishing.
Patch on-premises email servers to deprive cybercriminals of any low-hanging fruit.
Actively monitor for account takeover attempts
Missed payments may not be noticed for 45 or 60 days, so it’s important to look for signs early.
Restrict login attempts
Set an alert for a number of unanswered MFA prompts to prevent MFA fatigue. You can set an access policy to lock after 5 or 10 unanswered attempts.
Monitor changes to logging and configuration
Unusual changes to existing rules or new external forwarding rules may be early signs of activity related to BECs.
How to respond to a BEC incident
We encourage Beazley policyholders who experience an actual or suspected incident to notify us.
Preserve evidence for investigation
Place a litigation hold on the targeted mailbox to preserve the mailbox content. Make sure logging and log retention options are configured correctly.
Secure the user’s accounts
Turn on MFA if it was not enabled. Reset passwords for all accounts used by the targeted user on their work device, whether personal or work.
Look for other activity
Check the list of registered devices associated with the targeted user; the cybercriminal may have enrolled an additional device for MFA acknowledgements. And look at activities in messaging applications such as Teams, Slack, or Gchat where additional sensitive information may have been shared.
ALARMING STATISTICS: $43 billion The US Federal Bureau of Investigation (FBI) estimates global losses from BEC are $43B since 2016
Think you've been a victim of BEC? Let us know. Beazley policy holders have resources. and if you're not a Beazley policy holder, our IR team can engage and take a look.
Our incident response teams can walk you through all the steps needed to remediate the threat, and repair any damage that may have occured.