What is Business Email Compromise?
What is Business Email Compromise (BEC):
Email is the number one attack vector for hackers. According to the FBI, the cost of Business Email Compromise (BEC) to businesses globally was estimated at $26bn.
Business Email Compromise is an exploit where an attacker gains access to a corporate email account and spoofs the owner’s identity to defraud the company, their employees, customers or partners.
In most cases, the attacker’s goal is to manipulate their victims into authorising high-value wire transfers. However, this approach has been used to steal commercial data and intellectual property.
Whilst commercial data maybe sold onto competitors to undercut them, the theft of intellectual property posses a far greater risk as many cyber insurance policies will not cover this as there is no proof of how much value this is.
Who are the Targets?
Businesses of all sizes are vulnerable to Business Email Compromise. The initial targets are high level employees such as the CFO or CEO. A specific phishing attack, more commonly known as whaling, will be targeted at them.
The goal of the campaign is to deceive the target into handing over their credentials or executing malware on their machine.
Attackers will also query recent data breaches and try exposed email and password combinations. Services such as Microsoft 365 and G Suite provide lucrative targets for the hackers.
Once access to the account has been gained, the attackers will use their powers to target employees, customers or partners.
What are the attacker’s tactics?
The attacker will take there time and try and discover patterns in how an organisation operates. Once they have enough knowledge they will attempt to trick the victim into believing they have received an email from high-level executive, supplier, partner or co-worker. Most commonly, the internal targets will be HR and the accounts department. Additionally, new users may find themselves targeted as they may not be familiar with policies and procedures.
Common tactics used in BEC emails are:
Language: used to make the email sound urgent, confidential or a secret.
Time constraints: used to create pressure to make you respond faster and less rationale. Typically, Monday morning and Friday afternoon are peak times for this.
Tips for Users:
Be cautious about high-level executives requesting unusual information.
Think twice about urgent requests.
Slow Down and if necessary take a short break to think about the request.
Verify any critical changes (such as a client changing bank details) by a different means of communication. For example an email advising about bank detail changes, call the client to verify.
Do not use phone numbers or email addresses inside of the suspicious emails.
Provide staff with Security Awareness Training about Business Email Compromise and Cybersecurity.
Conduct phishing simulations to help staff identify common tactics.
If possible, register similar domain names to your own.
Review company policy and procedures to ensure there are two step verification processes in place.
Where possible, use 2FA to secure your accounts. If the password is stolen in a phishing attack, the attacker would still require an additional code to enter the account.
Check your cyber insurance policy. Business Email Compromise may not be considered a cyber breach. In some instances, it is covered under crime insurance policies.
Whilst the following records would not protect an account if the username and password were stolen, they do help prevent emails from your own domain being spoofed:
SPF: specifies who can send on behalf of the domain.
DKIM: validates the sending domain name through cryptographic authentication. This is accomplished by inserting a digital signature into the message header which is later verified by the receiver to validate the legitimacy.
DMARC: authentication protocol designed to give domain owners the ability to protect their domain from unauthorised use.