The Internet Crime Complain Center recently issued a warning about the business email compromise scam. What is...
this scam, and how is this different from phishing? Are there other security measures that should be put in place to protect an enterprise?
The Internet Crime Complaint Center issued a warning about a man-in-the-email attack targeting businesses. Dubbed the "Business Email Compromise," the scam reportedly cost enterprises across the globe nearly $215 million in just over a year, targeting companies that work with foreign suppliers or perform wire transfer payments regularly.
The attack operates by the malicious actor either compromising an email account or creating an account similar to that of a legitimate business person who has the authority to either make financial transactions or instruct others to make financial transactions. Attackers are likely to target the specific person by searching an organization's website for the CFO, CEO or other executive that would have such authority.
A Business Email Compromise attack is essentially an extension of a general phishing attack except it requires convincing another person to make the financial transaction requested by the compromised account.
Enterprises can implement a couple of measures to protect the enterprise from such man-in-the-email phishing attacks.
One of the key security policies to put in place is dual control for approval of financial transactions. This would require an attacker to convince more than just the initial person to make the transaction; hopefully the second person would verify the order was legitimate or a scam.
In addition, using strong financial controls will help limit the risk of an individual mistakenly trusting a compromised account or from an individual directly committing fraud.
Unfortunately there are few technical controls to stop this type of attack other than verifying the email used was legitimate and not compromised. Two-factor authentication and exercising caution when opening email links and attachments are crucial. Additionally, security awareness training for executives or financial staff must include something about verifying orders for financial transactions. The standard advice for detecting phishing -- like looking for poor spelling or grammar -- still apply, but are probably less effective in this scenario since a skilled attacker would look in the sent folder of compromised accounts in order to use the same language the account holder used in prior email transactions. More subtle clues might be available since the attacker is pretending to be someone the recipient actually knows, so be sure to ask yourself, "Would this person email me at this time or for a transaction to an unknown company?" If it seems suspicious, verification over a medium other than email should be used.
Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)
Learn the difference between man-in-the-middle and man-in-the-email attacks
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading