A business email compromise is a challenging social engineering attack to protect against. In this video, you’ll learn how a BEC attack can be carried out and how to prevent a compromise from occurring.
There are many different ways to communicate in today’s business environment, but one of the most common that we’ve seen year after year is email. This makes a very attractive attack vector for anyone who wants to gain access to data that might be on the inside of a corporate network. After all, who doesn’t trust the information that’s in their email inbox? This is something we use every day, multiple times a day, to communicate with people all over the world. And every person in our company has an email address.
Unfortunately, not everyone understands the security associated with that email address, and that’s where we have problems with a business email compromise. Often, there is a significant social engineering aspect to these email messages that entices the user to click on a malicious link. This makes it very difficult to stop something like a business email compromise, because our automated systems aren’t designed to stop every possible instance of a social engineering attack.
When creating this presentation, I went back to the last month or so of attacks that had anything to do with an email compromise, and we were able to find many instances of email being the method that attackers use to gain access to this data. One of these examples had a user receiving an email from their title company while they were in the middle of closing on some real estate.
Although this email seemed to be from their title company, in reality, it was being sent from an attacker making the email appear as if it was from this title company. And this email message contained wire information on where they should send their funds for the closing of this real estate. Of course, everything in this email message was false, and the wire transfer sent money to the attackers rather than sending it to the title company.
Another common email attack is one where you receive a message from the CEO of your company asking you to perform a task where you would purchase gift cards that they plan on using for employee awards. For this attack, all of the codes associated with those gift cards are being emailed to this CEO of your company, who in reality is an attacker that has nothing to do with your organization.
And another attack might have the attacker gaining access to an internal email address and using that email address to change information about the employee’s banking information. For example, the attacker could be sending an email message that has your name on it, but it’s asking your payroll department to change your direct deposit information. This means during the next pay cycle, your attacker is going to be paid with your wages instead of it arriving in your normal bank account.
Very often, this type of attack is successful because the attacker spends a lot of time planning out this attack and orchestrating exactly what they plan on doing. In the first step, the attacker is going to identify the target they’re going to use. They might use company information or social media details to identify an individual within the organization that they can use for this business email compromise.
In many of these instances, the attackers are becoming more familiar with the end user by sending messages pretending to be someone who could be trusted. These emails might contain detailed information about projects that are going on, or it may be simply small talk occurring between two people in two different organizations. Once the victim is comfortable, the attacker then executes the process that will gather data, money, or whatever the attacker is looking for in this particular instance.
For example, the attacker could provide that fake bank information, and then simply sit back and wait for those funds to arrive in the attacker’s account. And if it worked one time, then it could possibly work again. So the attackers could visit that victim again and have them perform a similar process in the hopes that they have not yet discovered that this is actually a business email compromise.
Sometimes, attackers are communicating with you over a legitimate email that they’ve compromised at a third party. Or they might be using a domain in an email that appears to be from a trusted source, but in reality, there might be a misspelling. For example, my email address is not james@profesormesser.com where Professor Messer is misspelled and only has one S. If you saw that in an email message coming through, though, you might not even recognize that it’s misspelled, and you may just assume that you’re communicating with the legitimate person.
Spear phishing is a common aspect of this business email compromise because the attacker needs to find someone who has access to data or access to money. This is often someone in the accounting department, for example, so it might be a good idea to provide some additional training to the accounting team so that they can look for and perhaps prevent these problems from occurring.
This is also very often part of a larger breach that may not have anything to do with your company. For example, the attacker may have compromised the email at one of your vendors. And now you’re receiving messages from that legitimate vendor email address, but they’re really being authored by the attacker. And if you ever feel that sense of urgency and that somebody is pushing you to do something very quickly, this may be part of a business email compromise. So it’s always a good idea to verify what you’re doing.
If you receive a message from the CEO, it might be a good idea to check in with the CEO’s assistant to see if they really were looking for gift cards. One simple phone call can often stop these from occurring. And if you train your user community to look for these very unusual situations and to always know exactly who they can contact in the IT department, then you may have a way to stop these issues before they ever become a business email compromise.