Business email compromise (BEC) is an effective cyberattack that uses deception and impersonation to steal large sums of money from organizations. If an organization relies on wire transfers to make or receive payments then, sooner or later, it will be targeted. Furthermore, successful BEC attacks are financially devastating with losses regularly exceeding $100,000. Though there are sometimes other objectives of BEC attacks, e.g., steal employee W2s, this article will focus on attacks with the sole purpose of the fraudulent transfer of funds.
Spear phishing is the preferred technique used by hackers for their BEC cyberattacks. Unlike traditional phishing where generic email messages are sent in bulk to a large audience, spear phishing emails are highly personalized and targeted at specific employees within an organization.
The hacker will send a message impersonating the company CEO, or other high ranking official, asking for an urgent wire transfer or to update the Automated Clearing House (ACH) details. The recipient will act on the request, often violating established protocols, because of the urgency of the message and the belief that it is coming from a senior executive. The wire transfer instructions will have been for an account under the hacker’s control, and once the money is sent, the funds are quickly withdrawn and the account is closed. Unfortunately, it is often too late to recover the money once the company finally realizes that they were defrauded through BEC.
With simple internet sleuthing, hackers can quickly identify the information required for the spear phishing campaign. First, the hackers will perform reconnaissance on an organization by using publicly available information from LinkedIn, press releases, the company website, and other resources. From this research, they can often determine the names and email addresses of senior management, finance and accounting staff, as well as customer and vendor names. Hackers can sometimes even determine when the CEO may be out of the office on a business trip or vacation based on publicly available social media posts. Once this information has been gathered, the hacker has the information needed to begin the campaign of impersonation and deceit.
BEC attacks usually take one of two forms. They can take place externally, or they can be executed from within company email accounts that have been compromised. Email spoofing and look-alike domains can be utilized without the hacker gaining unauthorized access to the target company’s email accounts. Conversely, a much more devastating scenario is when the hacker has infiltrated the organization’s email system and is conducting the attack from the inside.
Domain impersonation is an easy to execute attack where a domain name, very similar to the target organization, is purchased and an email account is setup that looks nearly identical to the legitimate address. For example, let’s pretend a hacker wanted to send an email that appeared to be from John Doe, the CEO of ABC Manufacturing. They could easily purchase a domain name very similar to the one owned by ABC Manufacturing and setup an email account appearing to be the CEO’s. Note how similar the two emails below appear at first glance:
Note, the second “u” from manufacturing is missing.
This type of attack is not only effective, but it is simple to execute and inexpensive.
Email spoofing occurs when an email is forged so that it appears to come from the exact email domain of the target company. There are no misspellings associated with this attack, because the hacker is taking advantage of the lack of email integrity protocols of the recipient. For example, if ABC Manufacturing did not implement strong email integrity policies, then an attacker could send a spoofed email that looks identical to the CEO’s, or other employee’s, actual email address.
If email spoofing is possible, then why would attackers even consider domain impersonation? The answer is that companies are beginning to effectively defend against email spoofing through Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Confirmation (DMARC) integrity methods. If a spoofed email is sent to an organization with strong email integrity policies, then the email will be rejected by the server and never reach its intended recipient.
The worst case scenario for an organization is if the hacker has compromised the company’s email account and is conducting the BEC attack from the inside. When the attacker has access to a company email account, they now have several more ways to carry out their attack. For example, they will setup forwarding rules for emails containing certain keywords such as “wire transfer” or “ACH.” Emails containing those keywords will be intercepted so that only the hacker will be aware of their existence. The hacker will then begin corresponding with the other party and request wire transfers or ACH updates. The timing and relevance of the communication makes the attack that much more likely to succeed.
To further compound the problem, if a BEC has occurred, then it confirms the organization has been successfully compromised. Furthermore, if this was part of a larger attack, the hacker may have already established unfettered access to other computers on the network. As such, the company needs to enact its incident response plan, investigate how the compromise occurred and begin taking steps to remediate the threat.
BEC attacks are at an all-time high because they are extremely lucrative and easy to perform. By using domain impersonation and email spoofing, an attack can be successfully executed without having to infiltrate the organization’s network or email platform. If, however, the attacker can gain unauthorized access and control of the company’s legitimate email account(s), then the threat becomes far greater and more dangerous.
To help protect against business email compromise attacks, TCDI recommends the following:
- Train employees on how to identify phishing attempts and signs of BEC;
- Test the effectiveness of the training by performing social engineering tests on a regular basis;
- Measure results of the social engineering tests over time to both track improvement metrics and identify employees who require more training;
- Configure SPF, DKIM, and DMARC integrity methods for company owned domains and utliize SPF, DKIM, and DMARC in email filtering rule sets;
- Apply warnings to email messages originating from outside the organization similar to the one pictured below;
- Enable two factor authentication for an organization’s email system to establish another layer of defense if login credentials are compromised;
- Incorporate third-party tools and techniques to help users more easily identify and report phishing emails; and
- Implement financial security controls around the wiring of company funds, e.g., an employee must call to confirm changes to wire transfers.
Turn on mailbox audit logging – Office 365 and many other email platforms have mailbox auditing turned off by default. Audit logs are an invaluable resource when it comes to identifying anomalous activity that could be indicative of a cybersecurity event, and if a data breach were to occur, could provide a crucial element to the subsequent investigation.