alphaspirit - Fotolia
For a company victimized by a business email compromise (BEC), discovering missing funds or inappropriate financial transactions can, at first, be like following a very confusing trail of breadcrumbs. Victim organizations can clearly see, for example, that a wire transfer was made. They can also see who requested and authorized it (possibly the CEO or other high-level executive) and who executed it, likely someone in accounting. Yet, the transaction makes little sense -- the money has gone into an untraceable account unaffiliated with their business, and no one recalls having authorized such a large and unwarranted transaction. Once a full investigation has been conducted, though, the picture becomes clearer: The business was the target of a successful BEC attack.
BEC, or the unauthorized access to an organization's email system by threat actors trying to commit fraud or data exfiltration, is a continually growing threat to organizations. It takes a real (and rising) monetary toll: our recent report revealed that in 2019, BEC attacks cost victims $264,117 on average, with up to $5M being stolen from a single victim in the year. Unfortunately for victim organizations, the funds stolen are only one comparatively small part of the financial toll of the attack; costs associated with the data breach can mount considerably. Companies must perform detailed data mining exercises on the compromised mailbox(es) to determine which sensitive data may have been exposed, notify any affected individuals and pay for credit monitoring services. In 2019, 48% of our BEC cases resulted in the determination that sensitive data was breached.
As more organizations leverage cloud-based email systems, more email-based data is accessible to attackers from the internet. With the growing reliance on email during the COVID-19 and stay-at-home new normal, these attacks are likely to escalate in 2020 and beyond, as we have observed and as noted by the FBI.
Understanding the vulnerabilities threat actors leverage, the tactics they use (and how they are changing), who they target and what you can do about it will go a long way to helping reduce risk.
BEC attackers use spear phishing, in-depth reconnaissance
Often, BEC attackers use spear-phishing attacks to gain control over the email accounts of authoritative figures in the business, such as the CEO or CFO, and then use these accounts to authorize accounting or other staff members to execute monetary transfers into accounts controlled by the threat actor. By doing so, they are tapping into one of the hardest vulnerabilities to control in the organizational defensive armor: the human factor. While most BEC attacks of previous years were mass distributed and untargeted, we have observed a distinct increase in 2018 and 2019 of well-researched, targeted and sophisticated BEC attacks. Observed tactics, techniques and procedures (TTPs) have included conducting pre-attack reconnaissance to select the best victims to target with spear-phishing campaigns, such as those with immediate access to high-level credentials and authority, information about how financial transactions are conducted and account details. If the phishing attack is successful, threat actors can begin to set up fraudulent wire transfers and other activities.
Once the threat actor has access to the email account, they may leverage details they learn for additional malicious activity, such as "spoofing" the victim's email address (including registering lookalike domains to mimic the victim organization and creating alternate email addresses that appear very similar to the originals) so they can continue to impersonate their victim over the long term to exploit the victim's contacts or distribute malicious spam. Additionally, they often target other email accounts discovered in the original attack to wage even more threat campaigns by sending phishing emails directly from the compromised account.
No vertical sector is immune -- but some are more targeted
Every vertical sector uses email and has money worth stealing; thus, none are immune to BEC attacks. However, our recent data noted that two sectors -- financial services and healthcare -- were affected disproportionately. The financial services sector was the most targeted sector for BEC attacks, followed by healthcare (18% and 15% of BEC case matters investigated in 2019, respectively, according to our security threats and trends report). Both sectors conduct high volumes of financial transactions via email, send and receive invoices for high-dollar real estate transactions or medical equipment and pose ripe opportunity for threat actors to insert themselves into the process.
Shifting IT models in response to COVID-19 will require increased vigilance
Since the COVID-19 pandemic began impacting the American workplace in March 2020, threat researchers have observed threat actors taking advantage of fear and uncertainty to exploit victims with a broad range of related attacks, BEC among them.
With many working remotely (even within essential functions such as healthcare and food supply chains, where accounting and other personnel are not required on site), email volumes are, predictably, increasing in tandem with attempts to compromise the process. It's more important than ever to apply safeguards against BEC attacks.
Protecting against business email compromise: People, process, technology
Preventing BEC attacks in both the on-premises organization and remote workforce requires vigilance by all users. Comprehensive security awareness training and user education to combat phishing attacks is a critical line of defense.
Additional best practices include:
- Conducting training on how to identify and manage fraudulent financial requests;
- Implementing multifactor authentication (MFA) as a security policy for all employees;
- Ensuring that additional wire transfer verification steps are conducted through non-email communication channels (text messages, voice phone calls, etc.); and
- Limiting the number of employees authorized to approve wire transfers and providing additional training to authorized employees.
Business email compromise attacks are a common, financially destructive threat type, which will likely become even more of a concern in a post-COVID-19 world. Increasing vigilance, attention to security best practices and user training are essential -- particularly in light of the fact that BEC threat actors are getting more strategic and educated about who they target to ensure their success.
About the author
Justin Brecese is a director at The Crypsis Group, where he is responsible for managing consultants and leading DFIR engagements for clients in a variety of industries. He has seven years of experience in cybersecurity with roles as a consultant, incident responder, forensic analyst and instructor. He joined Crypsis in 2017 after working at the U.S. Department of Homeland Security as a senior incident response analyst with US-CERT. At DHS, Brecese performed enterprise-wide cyber-incident response, threat hunting and forensic analysis for government entities.