Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is one of the most financially damaging types of cyberattacks, and attacks have been increasing. These attacks involve gaining access to business email accounts, often the email account of the CEO or CFO, and using those accounts to send emails to staff that has responsibility for making payments and tricking them into wiring funds to an attacker-controlled account. The attacks can also be conducted to make changes to payroll information to get employees’ salaries deposited to attacker-controlled accounts.
BEC scams have resulted in losses in excess of $43 billion over the past 5 years according to the Federal Bureau of Investigation (FBI), and that is just complaints submitted to its Internet Crime Complaint Center (IC3). In 2021 alone, almost $2.4 billion in losses to BEC attacks were reported to IC3.
Anatomy of a BEC Attack
BEC attacks require considerable effort by threat actors, but the rewards from a successful attack are high. BEC attacks often see fraudulent transfers made for hundreds of thousands of dollars and in some cases several million. Companies are researched, individuals to target are identified, and attempts are made to compromise their accounts. Accounts can be compromised through phishing or brute force attempts to guess weak passwords.
With access to the right email accounts, the attacker can study the emails in the account. The usual communication channels can be identified along with the style of emails that are usually sent. The attacker will identify contracts that are about to be renewed, invoices that will soon be due, and other regular payments to try to divert. Timely and convincing emails can then be sent to divert payments and give the attacker sufficient time to move the funds before the scam is uncovered.
A recent report from Accenture suggests the rise in ransomware attacks is helping to fuel the rise in BEC attacks. Ransomware gangs steal data before encrypting files and publish the data on their data leak sites. The stolen data can be used to identify businesses and employees that can be targeted, and often includes contract information, invoices, and other documents that can cut down on the time spent researching targets and identifying payments to divert. Some ransomware gangs are offering indexed, searchable data, which makes life even easier for BEC scammers.
How to Improve Your Defenses Against BEC Attacks
Defending against BEC attacks can be a challenge for businesses. Once an email account has been compromised, the emails sent from the account to the finance department to make wire transfers can be difficult to distinguish from genuine communications.
Use an Email Security Solution with Outbound Scanning
An email security solution such as SpamTitan can help in this regard, as all outbound emails are scanned in addition to inbound emails. However, the key to blocking attacks is to prevent the email accounts from being compromised in the first place, which is where SpamTitan will really help. SpamTitan protects against phishing emails using multiple layers of protection. Known malicious email accounts and IP addresses are blocked, other checks are performed on message headers looking for the signs of phishing, and the content of the emails is checked, including attachments and embedded hyperlinks. Emails are checked using heuristics and Bayesian analysis to identify irregularities, and machine learning helps to identify messages that deviate from the normal emails received by a business.
Implement Robust Password Policies and MFA
Unfortunately, it is not only phishing that is used to compromise email accounts. Brute force tactics are used to guess weak passwords or credentials stuffing attacks are performed to guess passwords that have been used to secure users’ other accounts. To block this attack vector, businesses need to implement robust password policies and enforce the use of strong passwords. Remembering complex passwords is difficult for employees, so a password manager solution should be used so they don’t need to. Password managers suggest complex, unique passwords, and store them securely in a vault. They autofill the passwords when they are needed so employees don’t need to remember them. If email account credentials are compromised, they can be used to remotely access accounts. Multifactor authentication can stop this, as in addition to a password, another form of authentication must be provided.
Provide Security Awareness Training to the Workforce
Providing security awareness training to the workforce is a must. Employees need to be taught how to recognize phishing emails and should be trained on cybersecurity best practices. If employees are unaware of the threats they are likely to encounter, when the threats land in their inboxes or are encountered on the web, they may not be able to recognize them as malicious. Training should be tailored for different users, and training on BEC attacks should be provided to the individuals who are likely to be targeted: the board, finance department, payroll, etc.
Security awareness should be accompanied by phishing simulations – fake, but realistic, phishing emails sent to the workforce to test how they respond. BEC attacks can be simulated to see whether the scams can be recognized. If a simulation is failed it can be turned into a training opportunity. These campaigns can be created, and automated, with the SafeTitan Security Awareness Training and Phishing Simulation Platform.
Set Up Communication Channels for Verifying Transfer Requests
Employees responsible for making wire transfers or changing payroll information should have a communication channel they can use to verify transfers and bank account changes. Providing them with a list of verified phone numbers will allow them to make a quick call to verify changes. A quick phone call to verify a request can be the difference between an avoided scam and a major financial loss.
Speak to TitanHQ about Improving Your Defenses Against BEC Attacks
TitanHQ offers a range of cybersecurity solutions for blocking email and web-based cyber threats. For more information on SpamTitan Email Security, WebTitan Web Filtering, and SafeTitan Security Awareness Training, give the TitanHQ team a call. All solutions are quick and easy to set up and use, and all have been developed to make it easy for MSPs to offer these cybersecurity solutions to their clients. With TitanHQ solutions in place, you will be well protected from phishing, malware, ransomware, botnets, social engineering, and BEC attacks.