In a 2021 survey of over 1,400 CISOs conducted by Proofpoint, 70% of UAE CISOs believe human error is their organization’s biggest cybersecurity vulnerability. This makes sense because globally, CISOs believe Business Email Compromise (BEC) will be the biggest cybersecurity threat in the next year.
Formerly dubbed as man-in-the-middle email scams, BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. Quite often, the attackers impersonate CEO’s or any executive authorized to do wire transfers. Business email compromises cost businesses money, time, and reputation. According to the FBI, BECs are a “$26 billion scam,” that affects thousands of businesses a year. Some sample email messages have subject lines containing such words as “request payment, transfer, and urgent.”
There are 5 types of BEC scams:
- The bogus invoice schemes
- CEO fraud
- Account compromise
- Attorney impersonation
- Data theft
BECs can evade traditional security solutions because the scams do not have any malicious links or attachments.
- The Bogus Invoice Scheme – Companies with foreign suppliers are often targeted with this tactic. Attackers pretend to be suppliers requesting fund transfers for payments to an account owned by the attackers. Typically, the attackers utilize several bank accounts, transferring the stolen funds from account to account so law enforcement cannot track it.
- CEO Fraud – Attackers act as company CEO’s or any executive, and send an email to employees in finance, requesting them to send money to an illicit bank account. Most often, the employee in finance sends the email without verifying with the executive that they authorized the transaction.
- Account Compromise – An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts. Typically, this is a direct result of no multifactor authentication being implemented. The attacker gains access to the email, and changes email authorization rules. The attacker even will often forward emails without the employee knowing this is happening.
- Attorney Impersonation – Attackers pretend to be a lawyer or someone from a law firm in charge of vital and confidential matters. Typically, these attacks occur are done by email or phone at the end of a business day.
- Data Theft – Employees under human resources and bookkeeping are targeted to obtain PII, PHI, HIPPA data, or W-2’s of employees or customers. Such data can be sold on the Dark Web or used as extortion.
Protection Tips to Prevent BECs
- Recognize impersonation tactics, encourage employees to challenge suspicious payment requests
- Be wary of last-minute email account address changes
- Don’t overshare on social media
- Check email addresses for slight changes
- Use Multi-Factor Authentication
- Use strong passwords
- Don’t trust unknown sources
- Verify all wire transfers in person
- Provide regular end-user training
- Run antivirus software often, enable security features that block malicious emails
- Block IPs from parts of the world you don’t conduct business
- Monitor the email exchange server for changes and unauthorized rules
- Add a banner to emails coming from outside your organization
- Log and retain changes to mailbox login and settings for at least 90 days
- Report fraud to law enforcement
Business email compromise isn’t going away. BECs are akin to the Nigerian letter-writing schemes of the 1990s. Be aware that some insurance companies may not cover BEC’s as a part of your cyber coverage. The insurance companies look at BECs as common theft or user error. Educating and training your employees is the best way to combat falling victim to a BEC attack.
In addition to training your employees on the ways, threat actors will look to take advantage of them, engaging with security firms who have battle-tested experience and highly technical abilities will add another layer of protection against BECs. Email monitoring is a crucial defense mechanism of SpearTip’s security services as we instantly add value to your organization upon implementation. It’s nearly impossible for your employees to be perfect, but that’s okay. But as a leader in your organization, ensure you’ve made the right moves to protect your most valuable assets from those inevitable mistakes.