How to Protect your Organization from Business Email Compromise Attacks
Of all the dangerous phishing attacks perpetrated by hackers, business email compromise (BEC) attacks might be the most troublesome for businesses. These attacks are extremely difficult to detect and have the potential of incurring millions in losses.
A BEC attack, also known as “CEO fraud”, “CFO fraud”, or “Man-in-the-Email” scams, is an email phishing scam where the attacker poses as a company executive, partner, or vendor, and requests money or sensitive information. This request can come from a compromised email account, or an email account that looks similar to a company email account.
For example, if the email address of the company’s CEO is firstname.lastname@example.org, the attacker might send the email from email@example.com to fool the recipient.
Consequently, the email which is usually sent to an employee, partner, vendor, or client of the company, appears to be coming from a legitimate email account.
Attackers also use social engineering, where they scrape information from hacked email accounts, company news, and social media, to make accurate references and build trust. This makes it even harder for the recipient to detect that the message is fraudulent.
According to the Internet Crime Complaint Center (IC3), the financial loss from BEC scams exceeded 12 billion dollars worldwide, between October 2013 and May 2018. This highlights just how massive the problem is.
But what makes this threat so frightening is how hard it is to detect. A good example was the BEC scheme which cost the Pathé cinema chains US$21.5 million.
The attacker sent an email to the CFO of the company which appeared to come from Pathé’s parent firm. This email requested that he transfer money to be used for an acquisition that was confidential.
The CFO thought it was strange and even discussed it with the CEO, but the attacker was very skilled at social engineering, so it didn’t occur to them that it could be fraud. It wasn’t until they got inquiries from their head office asking about the payments that they realized they had been scammed.
Common BEC Attack Scenarios
A BEC attack can take many forms but here are the most typical scenarios:
- CEO Impersonation
In this scenario the attacker impersonates the CEO and requests that an employee send money to an account owned by the attacker, because of an emergency or some other believable reason.
- Invoice Fraud
The attacker hacks the email account of a company executive and finds an invoice that is due. The accounts payable department is then contacted by the attacker, and asked to change the bank account or payment method corresponding to that invoice, to a bank account owned by the attacker.
- Fake Customer Payment Alert
The attacker gains access to an employee email account, and emails all customers alerting them that there was a problem with their payment, while requesting them to resend it to a different bank account, which of course is owned by the attacker.
- Attorney Impersonation
The attacker impersonates the company’s law firm and requests money for a confidential or urgent payment to settle a dispute or pay a bill.
- Sensitive Financial Information Theft
The attacker impersonates a company executive and requests sensitive financial information or documents from the finance or human resources department, which is then used to launch other scams.
How to Guard Against a BEC
This threat may be difficult to detect, but here are some steps you can take to protect your organization.
- Verify All Payment Change Requests
Attackers often request a change to the payment method from checks to wire transfers, or a change of the bank account the payment is supposed to be made to. By verifying these changes via phone or even in person, fraudulent requests can be identified. Additionally, it’s prudent to check the email account of the sender, letter by letter, to ensure it’s actually coming from a trusted email account.
- Use Code Phrases for Phone Calls
Many BEC attacks involve phone calls from attackers posing as a partner, client or customer trying to verify financial information. By establishing a code or password phrase that is required before the parties can pass financial info, you can guard against this scenario.
- Require Multi-Factor Authentication
In order to launch most BEC attacks, attackers need access to email accounts. Multi-factor authentication makes it harder for an attacker to gain access to an email account because it requires a unique temporary pin displayed on a mobile phone, or security fob that is only physically accessible to the employee.
- Establish Secure Policies and Operating Procedures
By establishing secure company policies and operating procedures, such as the ones listed above, and enforcing them throughout the organization, potential threats can be avoided and identified.
- Train Employees
Employees should receive frequent and updated training to detect and report suspicious emails. Additionally, providing training in the company’s security policies and operating procedures, will also ensure that everyone in the organization is taking an active role in identifying, reporting, and preventing BEC attacks. This is especially important for executives and other employees who deal with sensitive financial information.
BEC attacks are on the rise. In fact, reported incidents doubled from 2016 to 2017, according to IC3, and that trend is continuing in 2018.
Though these attacks are hard to detect, by implementing secure policies, and ensuring employees receive proper cyber security training, you can reduce the likelihood that your organization falls prey. Ask your Outsource IT Account Manager about solutions and training that can protect your organization.