Business Email Compromise - A Real World Example

October is cybersecurity awareness month and as it turns out, I was presented with a very real scenario yesterday from one of my clients. Have you ever heard the term "Business Email Compromise"? It's one of fastest growing areas of cybercrime. Now. . .you may be thinking "But we have MFA turned on for our email, so I'm good." Well. . .I'm not going to address the myth of MFA being fool-proof in this post, but Business Email Compromises generally don't work that way. Here's what went down with one of my clients yesterday.

The person at my client who is responsible for billing and payroll received the following email [I've made the names generic to provide anonymity to my client as well as make the scam easier to understand]-?

So here's the play-by-play.

Bad guys send an email to the person responsible for payroll. The message is made to look like?it's an innocent request coming from an employee - but it's really from the bad guys. The bad guys hope that the payroll person will just hit Reply and send them a payroll change form. The bad guys then fill out the form with their banking information and send it back, hoping the unwitting payroll admin will just make the change and start depositing the employee's paycheck into their account. Also. . .the bad guys now know the company's payroll process and can attempt the same scam with more employees.

In this case, the scam was averted because the payroll admin sent the form to the employee's known-good company email address - and not the Gmail account the bad guys used. When the employee received a form she didn't request, she did the right thing and started asking questions. But would you have spotted that the request was coming from a Gmail address rather than their work email account? Would you have picked up that the request wasn't worded in the way the employee (or anyone, really) actually talks or writes?

What makes this so hard?

What makes this so hard for me as a provider of technology services is there's absolutely no piece of technology I can install to prevent this. After all, both people have MFA active on their email. There's an enterprise-grade firewall at the office.?Their computers have antivirus software installed. So it's important to understand that tricking humans is the most common way bad guys gain entry and access.

So how do you stop this?

TRAINING!?

It's absolutely critical that your staff get ongoing security awareness training that teaches them how to spot the tricks bad guys use to get people to give up information they shouldn't to people who they shouldn't give it to. Every cyber insurance carrier I've seen now asks if regular security awareness training is in place. Because they want to make sure you're investing in mitigating your risks. In this particular example, the first thing to do is slow down and look at every message carefully. If the message is stressing how urgent their request is, that should only arouse further suspicion. Also, don't process messages like this on your phone or tablet. The mail app on a phone or tablet isn't going to give you enough information about the sender to make a good choice.

PROCESSES!

Processes are an additional layer of security. In the event something evades an employee's training, sound processes are the next line of defense. Have processes in place to confirm the person at the other end is who you think they are, particularly when it comes to financial matters. Call them (don't text) at the number you know for sure is theirs and speak to them. Rather than hit Reply, send a new message to the person in question - and don't rely on your mail app's autocomplete. Type the address out fully.

But it can't happen to me - I'm too small!

JUST. STOP.?In this example, our client has only 10 people and bad guys tried it with them. Cyber crooks don't care how big you are, they want your money. And it doesn't have to be a lot of money either. If they can trick you into giving them $500 or $1000 with little to no chance of actually getting caught, that's a total win in their eyes. After all, they're playing a volume game. If they trick enough businesses, that adds up to a hell of a lot of money.?

Don't become a victim. Make sure you arm your staff with the training they need to make good security choices.