Business Email Compromise Becomes the Most Common Cyber Attack
Webinars are part of the ‘New Normal’ which has settled everywhere, as a mode of sharing information. The PHD Chamber of Commerce & Industry, Delhi recently organized such a webinar where Anyesh Roy, DCP Cyber Department presided. In his speech, he declared that BEC (Business Email Compromise) has become the most common form of cyber attack. It is a threat which can befall businesses of all sizes, big and small. During the webinar, Mr. Roy suggested certain changes in the organizations email policy, as means to prevent BEC. But before we get to that, let us understand a little more on business email compromise.
BEC: An Attacker Hides Behind A Spoofed Email Address
Business email compromise occurs via spoofed emails. Spoofed emails are emails where an attacker has forged a legitimate-looking email address. To the untrained eye, spoofed emails look like any other mail: harmless and authentic. Since the attacker has already gained the trust of the victim, he / she can make any request of the victim, and get away with it. Typically, accounting and finance employees find themselves in the crosshairs of a BEC attack. Attackers are known to make lucrative request for releasing funds, or transferring money, or signing off on a budget. A BEC email will most probably contain bank account details where the hacker will ask the victim to channel the money.
Sometimes, the request in the email may not be for actual money, but rather for credentials. A BEC email in this case contains a bogus form which the employee has to fill to ‘authenticate’ something or the other. Behind the form is the hacker, eating up whatever data you feed.
Phishing & Business Email Compromise
You have to have a clear understanding how these types of attacks are interlinked. It will be helpful to you when you select a security system for yourself. An email security service which stops phishing may not always handle BEC, and vice versa. Like we discussed, a BEC relies dominantly on spoofed email address and may or not always use a fraud link or web form to bait victims. Whereas, a phishing attack inevitably uses fraud links and attachments to get the victim to interact with the email. Also, a BEC attack relies more heavily on social engineering and psychological trickery than a phishing attack.
- Key similarity: Both of these attacks use a ruse of some sort to trick the victims.
- Key Difference: While phishing emails can be generic and error-riddled, BEC emails are carefully tailored and meticulously designed to match the organizations actual email communication.
Two Major Types of BEC Attacks
As is evident from the name, these attacks are carried out by spoofing a CEO’s email address. The ‘CEO’ contacts the money handlers in an organization with a request for cheques or demand drafts or e-wires.
Things to do:
- Although it is a sensitive topic, be mindful of the bank and the account higher executives are using. That way, if the email contains a different bank account, you can smell trouble immediately.
- Find the actual sender’s address rather than believing the name that appears in the email. One simple way to do this is present here.
Manipulated invoices can cost a company crore of rupees in damages. In invoice fraud, a man in the middle alters a supplier’s legitimate invoice and injects his own email address. Otherwise, a hacker can also duplicate the invoice entirely and send it to the buyer, who pays it without a doubt.
Things to do:
- Establish a multiple sign-off protocol for paying invoices.
- Ask for payment confirmation to the supplier sooner, without waiting a polite number of days to ask. Such cases are reversible with early intervention, so your timely actions can save you quite a lot of money.
Delhi DCP’s Advise Against Business Email Communication
“Whenever an instruction has been received from the client about changing the destination of banking account, it needs to be confirmed through alternate means, including phone call, e-mail and other,” Anyesh Roy said. Roy also suggests that organizations should shift to their own domain instead of free emails like gmail, yahoo, and others, and have a properly hosted e-mail service.