Business Email Compromise (BEC) is a type of cyber thereat or exploit, which is rapidly becoming one of the most widespread email attacks faced by organizations around the world. The premise of the attack is very simple: an attacker will compromise or imitate a legitimate business account, and then use this account to request fraudulent payments from customers or contacts. While simple in concept, these attacks are highly damaging, and difficult to prevent.
The FBI has reported that BEC attacks are becoming more harmful. They found that between December 2016 and May 2018, there was a 136% rise in the number of successful reported BEC attacks around the world. It’s estimated that between October 2013 and May 2018, Business Email Compromise alone has cost businesses over $12 billion. Analysts expect these attacks to only become more common, with the financial costs associated continuing to rise.
Business email compromise targets businesses of all sizes, but it is especially prominent against Fortune 500 companies, educational institutions and small and mid-sized businesses. They rely heavily on social engineering to try and trick employees and executives into making fraudulent payments. In this guide, we’ll cover how business email compromise works, the different types of business email compromise threatening organizations, why business email compromise is so damaging, and how your organization can take steps to stop business email compromise attacks.
What is Business Email Compromise and how does it work?
Business Email
Compromise is a damaging email attack that involves cyber criminals
compromising email accounts to try and trick employees into making fraudulent payments
to them.
Email continues to
be the main way in which businesses communicate with their trusted contacts,
partners and other businesses. It’s very likely the case that you’ve used email
at some point to email out an invoice, or request a payment. However, email
addresses can be easily impersonated, and email accounts can be easily
compromised.
BEC attacks exploit
the weakness of emails to target top-level people within an organization. Often
BEC starts with a phishing attack which allows cyber-criminals to gain access
to an important email account within an organization. For example, someone in
the finance department, or the company CFO or CEO. Once attackers have access
to this account, they can then send out emails that appear to be legitimate,
asking for wire payments to be made from others in the organization, or across
their supply chain. These emails won’t be flagged as malicious by any
anti-virus or basic email filtering technologies, and most users probably won’t
expect their boss or a trusted contact to be compromised, making this a particularly
harmful kind of attack.
Another method
cyber-criminals can use is simply spoofing the domains of high-level business
email accounts. For example, the attacker will see the email address ceo@majorcorp.com
and use ceo@majorc0rp.com instead. This is known as Lookalike Domain
Spoofing. The similarity of the email addresses may be enough to fool suspecting
users into believing it’s the real contact that has emailed them, which could
convince them to make a payment.
This type of BEC
attack is less sophisticated than full account compromise, but it is much more
common. It’s also much more likely to be stopped by email security
technologies, as they can detect when a domain has been spoofed. However, it
can still very successful in convincing unsuspecting users.
Lookalike domain
spoofing is commonly used to impersonate brands, such as Microsoft or Apple.
Attackers copy these brand domains to try and in convince users to enter
passwords, or make payments.
What are the Different Kinds of Business Email Compromise?
We’ve broadly
covered two methods in which attackers can carry out Business Email Compromise
attacks, but the FBI has identified 5 unique variants of BEC. Here’s a brief
rundown of what each involve:
CEO Fraud:
Attackers impersonate a CEO, or a high-level executive, and target employees with requests for payments.
Account Compromise:
An employee’s email account is compromised, and attackers use their contacts to request payments to their own accounts.
Bogus Invoice Schemes:
Attackers will impersonate suppliers of foreign companies, in order to request fraudulent fund transfers and payments.
Data Theft:
Employees in HR and admin departments are compromised so that attackers can gain access to sensitive company and customer information.
Attorney Impersonation:
Attackers impersonate lawyers or solicitors to find out confidential business events. This is sophisticated type of account compromise attack, and much less common.
Why Are Business Email Compromise Attacks Becoming More Common?
Most industry
analysts agree that BEC attacks are becoming more common because they are low
risk for attackers, can be relatively low cost to pull off, and they are often
very successful.
Rather than needing
to spend time developing malware, or trying to gain access to systems, Business
Email Compromise allows cyber criminals to very quickly get access to accounts
and send out emails asking for payments. With just one compromised account,
cyber criminals can send out hundreds of fraudulent emails, with a pretty good
chance that at least one will be opened or replied to.
For high profile targets,
cyber criminals may not even need to collect information for account compromise
attacks themselves. High level employee email credentials are commonly bought
and sold on the dark web. Research from LastLine tells us that CEO, CFO and
executive account details fetch a high price, but attackers can make a profit
of thousands by successfully mounting a business email compromise scam.
Why is Business Email Compromise So Dangerous?
Traditional
approaches to email security rely on detecting threats. This could be a
malicious domain that’s been known to send out spam emails. Or, it could be an
attachment that contains malware, or a URL that leads to a harmful website.
Email security technologies can identify threats based on patterns or
signatures and stop those emails from being delivered to your users.
However, BEC
attacks don’t involve any malware or harmful content being sent. These emails come
from legitimate domains and will appear to most email security technologies to
be completely innocuous. This means that the email has a high chance of being
delivered to your users’ inboxes.
Because they target
the human factor within the organization to succeed, once in the email inbox
BEC attacks have a good chance at tricking employees into believing they are
real. As we’ve covered, BEC attacks often target company executives, like CEOs
or CFOs, or employees that work within company finances. When an invoice
arrives from an employee like this, people usually trust that it is legitimate,
and may go ahead and make the payment without caching the legitimacy of the
email.
In addition,
attackers are spending more time to develop BEC, spending more time
investigating which individuals within an organization are likely to have
authority in asking for invoices to be paid.
Considering these
factors, it’s no surprise that Business Email Compromise is growing more
common and becoming more harmful to organizations. There have been numerous
examples of high profile BEC attacks, against organizations of all sizes.
The US Treasury found that the number of business email compromise attacks reported nearly doubled from 2016 to 2018, with nearly 1100 attacks reported every single month. The costs associated also continue to grow, now costing US companies an average of $301 million every single month, according to a Treasury Department Analysis.
How Can You Stop Business Email Compromise Attacks?
As we’ve covered,
stopping business email compromise attacks is a challenge for businesses.
However, with a strong multi-layered security approach and increased user
education, business can greatly reduce their risk of attack. Here are the steps
businesses can take to stop business email compromise.
Secure Email Gateway
The first layer in a multi-layered approach should be a Secure Email Gateway. This acts as a firewall for your email communications, and stop spam, malware and viruses from being delivered to your users via email.
A strong email
gateway will detect a spoofed domain coming from an attacker and will in most
cases block those types of business email compromise from being delivered.
Admins can also use a secure email gateway to check for keywords commonly used
in business email compromise attacks, such as ‘payment,’ ‘urgent,’ ‘sensitive’
and ‘secret.’ While it may not be practical to ban these emails altogether, the
gateway will detect if something appears suspicious, and place it into a
quarantine.
Post-Delivery Protection
The second step is implementing Post-Delivery Protection. Post-Delivery Protection tools use machine learning and artificial intelligence to monitor email networks for signs of malicious activity. They can pick up on the tell-tale signs of account compromise, such as multiple failed login attempts, unusual locations and times for sending email. If an advanced post-delivery protection service identifies these logins, it will mark any emails from this account as suspicious or stop them being delivered altogether, helping to minimize the risk of business email compromise.
Advanced
post-delivery protection solutions also allow users to report emails as
suspicious, which will remove those emails from the inbox of anyone else who
has received them. They will also place warning banners on emails from new or
unusual contacts, helping to mitigate the risk of lookalike domain spoofing in
order to protect users against business email compromise.
Implement Security Awareness Training and Phishing Simulation
Training users to
be aware of what malicious emails and phishing attacks look like is an
important step in increasing your organization’s protection against business
email compromise. This kind of attacks target users that are unaware of
security issues, and trust that the emails they receive are genuine.
Security awareness training
can teach users what phishing emails look like, and instil crucial security behaviours,
like never replying to suspicious emails, and reporting them immediately to IT
departments. It can also be useful to for IT departments to implement policies
such as never paying invoices or transferring data without authorization from
multiple sources. Security Awareness Training helps to reinforce these
policies.
There are multiple
vendors who deliver Security Awareness Training as a service, offering
interactive and bite-sized learning courses to help users detect and report
phishing attacks. While not every user will need these courses, and not every
user will learn from them, implementing security awareness will still be useful
in improving your resilience against business email compromise.
In addition to
awareness training, many vendors also offer phishing simulation. This involves
admins creating simulated phishing emails, which look genuine. These emails are
then sent out to users to test how effectively they can spot phishing attacks.
This can be really
useful for IT teams to monitor how at risk they are from phishing attacks, and
to teach users what phishing attacks look like, and how vigilant they need to
be looking out for real email threats. Because of this, phishing simulation can
be a useful way of tackling business email compromise.
Implement Identity Management and Account Security
A final step in
implementing strong defences against account compromise is improving the
security of your accounts themselves. This has the benefit of stopping
attackers from being able to compromise your accounts in the first place, and
having a strong identity management solution in place can stop attackers
gaining access to accounts in the first place.
The most important
aspect to protecting accounts is ensuring that each user has a unique password
for all of their accounts, which cannot be easily guessed. Business password management
tools can help users to keep on top of their passwords, while allowing admins
to ensure users are keeping passwords updated regularly.
Alongside strong
passwords, each of your corporate accounts, but especially email should enforce
multi-factor authentication. Identity Management solutions offer multi-factor
authentication which can be enforced across all accounts. They will ensure that
accounts can only be accessed when a user has something they know (like a
password) and something they have, which can be a code from a text message, or
even a fingerprint. Obviously, it’s unlikely that even the most sophisticated
hacker will be able to steal a fingerprint from a target, so this is a great
step to take to thwart business email compromise attacks.
Some identity
management platforms take this further by offering Adaptive Authentication.
This analyses each request to log in individually, taking into account factors
such as the device being used, the location, and IP-reputation. This
information can immediately enforce multi-factor authentication, and alert IT
teams to suspicious attempts to login. This greatly improves account security,
without getting in the way of legitimate users logging into their accounts.