Business Email Compromise

For years, email has been an ideal way for attackers to get into an organization. A decade ago, phishing was a simple way to harvest login details from consumers and employees alike. These days, the technique has evolved into a precision form of cybercrime that can deliver quick returns for online crooks. Welcome to the world of business email compromise (BEC).

BEC attacks evolved from an earlier kind of attack called ‘whaling’. This high-level phishing attack targeted senior executives with tailored emails that would lure them into divulging sensitive information or giving up passwords to privileged accounts.

Attackers decided to take things a step further, using email to trick executives into sending them payments by posing as other executives, or as trusted third parties.

One approach involves compromising executives’ email accounts so that attackers can understand the target organization’s payments workflow. How are payments approved? Who is responsible for sending them? Criminals will study vendors, billing systems, and even how the targeted executive tends to communicate via email. Building up a detailed picture of the organization is crucial in this kind of BEC attack.

Once attackers understand the inner workings of an organization, they will move to exploit it, often waiting for a critical window, such as when the CEO is travelling. They will then send a message from the CEO to a financial executive authorized to make large payments – typically the CFO or accountant. The message will request an immediate wire transfer, usually to a trusted vendor, to allay suspicion.

If everything looks normal enough, the financial executive will often take the bait and send the payment. However, the account number given will be slightly different to the vendor’s usual account, and the money will go to the attacker. Once the money arrives, the BEC scanner will siphon it off, often through a system of money mules, making it difficult to track.

Although the basic concepts are the same, BEC scammers vary the tools and techniques that they use. Some will simply spoof emails from a senior executive by slightly changing the spelling or substituting characters in an email address. Some use external emails, pretending to be suppliers invoicing directly, or a third party such as a lawyer facilitating a corporate transaction (if the company happens to be undergoing a merger or acquisition, so much the better). To make things more convincing, some will send both an internal email that seem to reinforce each other.

How to fight BEC scammers

What can organizations do to protect themselves from malicious emails? Some of the protections are technical, and some are organizational.

One of the first technical measures involves using a company domain rather than a generic public email address. Aside from making it harder for scammers to spoof employee addresses, it also lets you implement technology to protect your email system.

Sender Policy Framework (SPF) lets you specify which mail servers can send mail from your domain. That makes it more difficult for scammers to spoof company email addresses.  DomainKeys Identified Mail (DKIM) can provide another layer of protection by enabling an organization to cryptographically sign a message in transit, while Domain-based Message Authentication, Reporting & Conformance (DMARC) builds on these two protocols, typing messages to the sender and creating policies for automatically dealing with illegitimate email.

Other technical measures include using email scanning tools to help prevent suspicious emails, including those coming from known bad domains. Data leak prevention software can help prevent employees from unwittingly sending sensitive details to a scammer who may then use them to mount a more convincing BEC attack later on.

Those misguided employees are a big weakness, and while technology can help, it isn’t a substitute for a well-educated workforce. There are two things you can do to help harden employees against attack that focus on process rather than technology.

The first involves training. BEC is another form of social engineering, and warning employees of these potential attacks should be a standard practice. Training shouldn’t be a one-time deal. Reinforce it, and test employees with fake phishing/BEC emails to ensure that they’re taking the training on board. Here’s why many training initiatives fail.

The other part of this employee-hardening approach involves policy. Create strict policies around approving and making payments. These should include not only confirmation policies for payments, but also specific instructions for how and when to give up other sensitive information. Such a policy would have stopped investment firm Fortelus Capital Management from losing £740,000 after a scammer pretending to be from the firm’s bank tricked the CFO into generating bank security codes using his smart card. In that case, there were no fraudulent emails at all; all it took was a phone call.

A confirmation policy might involve getting voice and/or written approval from an executive for payments over a certain threshold. For extra security, a separation of duties policy – in which two separate officers must sign off on payments – can help to stave off potential attacks. These policies should include contingencies for handling requests when key executives are away.

Business email compromise is only going to get worse as attackers exploit human weaknesses. The FBI says that it has cost businesses worldwide at least US$5.3bn since 2013, and losses are mounting. By using a mixture of technology and training, you can help mitigate the risk.