How Can Organisations Tackle Business Email Compromise?
Written by Paul Wright, Associate Director, Forensics, KPMG Lower Gulf
Business Email Compromise (BEC) attacks are sophisticated cybercrimes, targeting businesses that perform wire-transfer payments. These schemes compromise official business email accounts to carry out fraudulent money transfers. The 2019 Internet Crime Report, published by the FBI’s Internet Crime Complaint Center (IC3), shows that email compromise fraud impacted a total of 20,373 victims and cost victims USD 1.298 billion over a twelve-month period – the largest financial loss due to internet crime.
Such account takeovers show no signs of decelerating in 2020, with businesses suffering compromised credentials, fraudulent money transfers, reputational damage and data loss. Because Microsoft Office 365 (O365) is one of the most popular email platforms, it is also one of the most phished. A multisystem platform, O365 combines email, file storage, collaboration, and productivity applications, including OneDrive and SharePoint. Together, they represent a honeypot of confidential and sensitive data that attackers are looking to exploit.
Making money
BEC has been hugely profitable for cybercriminals, hence they may put time and effort into this method of attack to seek rewards. In most instances, this may be achieved through a high volume of attacks against poorly protected businesses and/or staff who may not recognise the tell-tale signs of a BEC attack. Therefore, those at greatest risk are businesses who feel they may not be targeted and thus discount the possibility of attack.
With unauthorised access, cybercriminals may seek out information on the types of instructions used by a company for money transfers, electronic payments, or vendor invoicing. They may carry out other reconnaissance, such as monitoring mailboxes, watching the dealings between targeted individuals, and spotting details within their communications to understand the nuances required to effectively replicate a genuine message.
Using an employee’s email account within the organisation, a cybercriminal can circumvent security such as the monitoring of external emails for malicious threats. The compromised mailbox can have a plentiful supply of emails that contain confidential and sensitive data, which means greater potential for profit or blackmail for the cybercriminal echelon.
The inner workings of a BEC attack
In the first phase, the cybercriminal sends a phishing email, often requesting the employee use the link provided to review a document. The link takes the employee to a website similar to or associated with Microsoft Office 365 that requests his or her credentials. Once an employee provides credentials, the cybercriminal can start to leverage access to the account to make money.
A multi-phase attack involves taking advantage of credentials to ultimately extract money or proprietary information from a person and/or a business. For example, the attacker might first send an O365 phishing email to harvest email credentials. Then, using the targeted O365 account, they will send an email to another targeted person within the company who has the power to execute fraudulent payments.
The email recipient has no reason to suspect that it is not the genuine person/account who sent the email requesting a fraudulent payment. There are many variants on the multi-phase attack. Equipped with a legitimate account, the attacker can control multiple accounts laterally within the organisation, and spear phish external stakeholders, business partners and vendors.
Both spear phishing and phishing attacks leverage impersonation to commit fraud. The difference between the two is that spear phishing emails imitate people, while phishing emails imitate brands. Unlike phishing, spear phishing targets a single individual, includes no links or attachments in the email, and typically features a request for a fraudulent payment, or direct deposit change, rather than account credentials.
How to protect against BEC
One of the best ways to avoid BEC fraud is a multi-layered approach that includes an array of checks and controls. Two of the most significant areas to focus on are training employees and email authentication technology. An organisation’s employees are on the front line when it comes to defending against BEC fraud, as preventing the initial point of compromise is critical. Therefore, they should be trained to recognise the signs of email fraud through a regular and constantly updated training programme.
Employees need to be able to identify some common ways fraudsters use emails to gain access to business email accounts. For example, the ‘spoofing’ of an email address, which can be the display name section, before the ‘@’ symbol, and/or the domain name, after the “@’ symbol. In addition, they need to know the make-up of traditional phishing techniques that are used to gain initial access to an email account.
While the above can help reduce the risk of a mailbox account being compromised, there’s no preventative system that is fully secure. Therefore, it’s important for organisations to implement security features such as multi-factor authentication or multi-layered security solutions to ensure they are protected in case of a BEC fraud attempt.