The Anatomy of Business Email Compromise (BEC)

Business email compromise (BEC) is an effective cyberattack that uses deception and impersonation to steal large sums of money from organizations.?If an organization relies on wire transfers to make or receive payments, then, sooner or later, it will be targeted.?Furthermore, successful BEC attacks are financially devastating, with losses regularly exceeding $100,000.?Though there are sometimes other objectives of BEC attacks, e.g., stealing employee W2s, here we will focus on attacks with the sole purpose of the fraudulent transfer of funds.

Spear Phishing

Spear phishing is the preferred technique used by hackers for their BEC cyberattacks.?Unlike traditional phishing, where generic email messages are sent in bulk to a large audience, spear phishing emails are highly personalized and targeted at specific employees within an organization.

The hacker will send a message impersonating the company CEO, or other high-ranking official, asking for an urgent wire transfer or to update the Automated Clearing House (ACH) details.??The recipient will act on the request, often violating established protocols, because of the urgency of the message and the belief that it is coming from a senior executive.?The wire transfer instructions will have been for an account under the hacker's control, and once the money is sent, the funds are quickly withdrawn, and the account is closed.??Unfortunately, it is often too late to recover the money once the company finally realizes that they were defrauded through BEC.

With simple internet sleuthing, hackers can quickly identify the information required for the spear phishing campaign.?First, the hackers will perform reconnaissance on an organization by using publicly available information from LinkedIn, press releases, the company website, and other resources.?From this research, they can often determine the names and email addresses of senior management, finance and accounting staff, as well as customer and vendor names.?Hackers can sometimes even determine when the CEO may be out of the office on a business trip or vacation based on publicly available social media posts.?Once this information has been gathered, the hacker has the necessary information to begin the campaign of impersonation and deceit.

BEC Attacks

BEC attacks usually take one of two forms.?They can take place externally or be executed from within company email accounts that have been compromised.?Email spoofing and look-alike domains can be utilized without the hacker gaining unauthorized access to the target company's email accounts.?Conversely, a much more devastating scenario is when the hacker has infiltrated the organization's email system and is conducting the attack from the inside.

Domain Impersonation

Domain impersonation is an easy-to-execute attack where a domain name very similar to the target organization is purchased, and an email account is set up that looks nearly identical to the legitimate address.?For example, let's pretend a hacker wanted to send an email that appeared to be from John Doe, the CEO of ABC Manufacturing.?They could easily purchase a domain name very similar to the one owned by ABC Manufacturing and set up an email account appearing to be the CEO's.?Note how similar the two emails below appear at first glance:

?Real Email:

[email protected]

Fake Email:

[email protected]

Note the second "u" from manufacturing is missing. This type of attack is not only practical and effective, but it is simple to execute and inexpensive.

Email Spoofing

Email spoofing occurs when an email is forged so that it appears to come from the exact email domain of the target company.?There are no misspellings associated with this attack because the hacker is taking advantage of the recipient's lack of email integrity protocols.?For example, suppose ABC Manufacturing did not implement strong email integrity policies. In that case, an attacker could send a spoofed email that looks identical to the CEO's, or other employee's, actual email address.

Why would attackers even consider domain impersonation if email spoofing is possible??The answer is that companies are beginning to effectively defend against email spoofing through Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Confirmation (DMARC) integrity methods.?If a spoofed email is sent to an organization with strong email integrity policies, then the email will be rejected by the server and never reach its intended recipient.

Email Compromise

The worst-case scenario for an organization is if the hacker has compromised the company's email account and is conducting the BEC attack from the inside.?When the attacker has access to a company email account, they now have several more ways to carry out their attack.?For example, they will create forwarding rules for emails containing certain keywords such as "wire transfer" or "ACH."?Emails containing those keywords will be intercepted so that only the hacker will be aware of their existence.?The hacker will then begin corresponding with the other party and request wire transfers or ACH updates.?The timing and relevance of the communication make the attack that much more likely to succeed.

If a BEC has occurred, it confirms the organization has been successfully compromised to further compound the problem.?Furthermore, if this was part of a larger attack, the hacker may have already established unfettered access to other computers on the network.?As such, the company needs to enact its incident response plan, investigate how the compromise occurred, and take steps to remediate the threat.

Recommendations

BEC attacks are at an all-time high because they are highly lucrative and easy to perform.?An attack can be successfully executed without infiltrating the organization's network or email platform through domain impersonation and email spoofing.?If the attacker can gain unauthorized access and control of the company's legitimate email account(s), the threat becomes far greater and more dangerous.

To help protect against business email compromise attacks, TCDI recommends the following:

• Train employees on how to identify phishing attempts and signs of BEC;
• Test the effectiveness of the training by performing social engineering tests regularly;
• Measure results of the social engineering tests over time to both track improvement metrics and identify employees who require more training;
• Configure SPF, DKIM, and DMARC integrity methods for company-owned domains and utilize SPF, DKIM, and DMARC in email filtering rule sets;
• Apply warnings to email messages originating from outside the organization similar to the one pictured below;

• Enable two-factor authentication for an organization's email system to establish another layer of defense if login credentials are compromised;
• Incorporate third-party tools and techniques to help users more easily identify and report phishing emails; and
• Implement financial security controls around the wiring of company funds, e.g., an employee must call to confirm changes to wire transfers.

Bonus Tip:

Turn on mailbox audit logging – Office 365 and many other email platforms have mailbox auditing turned off by default.?Audit logs are an invaluable resource for identifying anomalous activity that could be indicative of a cybersecurity event. If a data breach were to occur, it could provide a crucial element to the subsequent investigation.