Email has become an inseparable part of any business. Sending invoices, making major decisions, updating your clients, scheduling meetings… all of these activities are now carried out using email services. That makes it all the more vulnerable to cyber-attacks. One of the annoyingly continuous threats faced by organizations is business email compromise.
After reading this blog, you will:
- Have a thorough understanding of how Business Email Compromise (BEC) works.
- Know about the various techniques behind BEC attacks that cyber criminals use.
- Become well versed with the types of BEC attacks so you can keep an eye out on them.
- Have immediately actionable items that you can undertake at a personal / organizational level to prevent email compromise.
96% of phishing threats arrive by email. (Source: Tessian)
Let’s get started!
What is Business Email Compromise?
Business Email Compromise is a type of email scam that attacks the transactional email flow of organizations conducting business using electronic means (like email). It involves a cyber criminal spoofing a known employee’s email address or gaining illegal access to an employee’s email account.
Once the cyber criminals have access to a valid email account, they can misuse it for:
- Tampering with valid invoices or sending duplicate invoices with the bank account details changed.
- Send emails to financial department employees, requesting them to release funds for a ‘special project’.
- Sending out more phishing emails to other employees to try and steal even more credentials of yet more email accounts.
BEC attempts are hard to identify, as the victims believe they are receiving valid emails from the source they usually expect emails from. Because it’s an imposter injecting himself into the email conversation, email compromise scams are also called as ‘man in the middle’ attack.
Key decision makers or employees in the high up places in an organization are prone to BEC attempts.
People who are authorised to release wire transfers are targeted as the victims, whereas executive level employees are targeted for impersonation
Steps in carrying out BEC Attacks
Victim Identification
Business Email Compromise is notably different than other types of cyber frauds because it depends heavily on social engineering and careful preparation. Where other cyber attacks include a malicious payload and a mass distribution plan for a potentially large victim pool, BEC is more patiently planned and executed. It is a more targeted form of attack.
A criminal wanting to compromise an email communication does not simply send out a fraud email by the bulk and hope that someone will bite.
A criminal can identify potential targets by lots of methods. For one, they can check on the internet for the company’s team structure and find out which people can be the most lucrative to scam.
Besides, there are means cyber fraudsters can use to snoop email data going back and forth between organizations. One can then find out which employees are authorized to demand / make monetary decisions.
Once a target is identified, the criminal spends time and effort studying the lingo of communication, the email addresses used and the patterns to emails (for example, company A may have the habit of sending out invoices to company B in the month of November).
The successes of a BEC attack relies on how accurately the criminal can pose as an authorised employee of the organization. For this purpose, the impostor will take his time planning out the attack.
Email Spoofing
The attacker spoofs a valid email address and sends out his fraudulent email. Email spoofing is a type of cyber fraud in which the criminal tampers with the ‘from’ section of an email address such that the display name is the same as a valid email address (forged sender address).
The receiver of such an email thinks that a authentic email address has sent the email.
The contents of such a spoofed email can be:
- A request for an urgent wire transfer needed for business purposes.
- A fake invoice to the buyer, having the attacker’s bank details in it.
- A request for an employee to ‘fill out a form’ to validate their credentials. This kind of email is typically attached with a link to a phishing page where the credentials which are entered are recorded.
Requests for money (1 and 2) are exposed if and when the victim asks for confirmation of payment to the actual person instead of the imposter. If it is not too late, the transaction can be frozen and the money recovered. However, if it’s the third case, BEC can prove much more fatal.
The attacker now basically has the credentials needed to misuse the email account in whatever ways imaginable.
I already understand Business Email Compromise! Give me steps to prevent BEC.
Types of BEC Attacks
Email compromise is an umbrella attack. Cyber criminals have a larger target in mind. Consequently, there are several types of BEC attacks, each having its own intention.
Invoice Fraud
Tampering invoices is a very popular attack. In invoice fraud, a criminal gets hold of a valid supplier’s invoice and alters the bank account details. OR, the fraudster can imitate the invoice entirely and send it to the buyer.
For this, the criminal needs:
- Deep knowledge about the victim’s invoicing process, like usual window periods when invoices are sent, email ids of the employee who sends the invoice, and the messaging / language of the email communication.
- A spoofed email address to impersonate a valid sender’s email address.
Both of these can be achieved using BEC, and the dangerous part is that the criminal will inject himself into the email communication well in advance without ever giving himself away. He will wait for the right moment to strike, without you even knowing.
CEO Impersonation Attacks
Sometimes, a fraudster will spoof the email address of a executive-level employee and send an email to the staff in the finance department, asking for funds. Sometimes, these attacks will strike when the CEO in question is on an overseas / out of office assignment.
It gives the criminal a good ruse: ‘I need funds urgently for my assignment.’
Also, since the victim is not in the office, the criminal has a higher chance of getting away with the fraud.
Account Takeover
Sometimes, it’s not the monetary benefits that attract a cybercriminal. In some cases, a business email will be compromised to get the credentials of an employee. The intention is to hijack that account and then use it either for data theft or hack into more accounts.
Hackers can then sell or misuse this sensitive data.
Spotting & Preventing Business Email Compromise
There are things you can do at your own level to spot email compromise scams. The key is to be alert and aware. Cyber awareness will go a long way when it comes to online security.
Check for email masking
Check the actual address behind the ‘from’ account label. Simply hovering over the name will expose the email address of the sender.
Check for a need for privacy
A spoofed email will contain some instructions to maintain privacy. Something like, “Do not disclose this request to others…” This is an attempt to keep you from confirming the email with the actual person being impersonated. At the risk of a superior’s frown, break the protocol and confirm anyway. Worst case scenario is you’ll get a warning if it’s a valid email.
Check for a need for urgency
A fraudulent email will try to create a false sense of urgency. The email will order you to act fast, NOW. This is just a trick to prevent you from thinking twice about the matter. If you receive such an email, call up the person who’s supposedly sending you the email and confirm. Don’t transfer payments upfront without a confirmation.
Establish protocols
Have clear protocols in place for money transfers. Emphasise that no one is to break protocol no matter what. This will save you from invoice fraud / CEO fraud.
Implement MFA
Implement Multi-Factor Authentication across your organization. This is a super simple and yet widely overlooked method that will safeguard against password theft.
