We need to talk about BEC
And how you can defend against it.
How serious is Business Email Compromise?Business Email Compromise was (by some margin) the number one source of financial loss due to internet related crime in 2019. To put it into context, stats from the FBI suggest that losses due to ransomware averaged out at around $4,400 per incident. They totalled just shy of $9 million in the U.S across 2019. In contrast, losses due to BEC were around 17 times higher, at $75,000 per incident. They amounted to a total financial loss north of $1.7 billion for the same period.
Of all financial losses due to internet crime recorded by the FBI during 2019 – in sum, around $3.5 billion worth – BEC accounted for around 50% of the total.
What is Business Email Compromise?
Business Email Compromise is a type of fraud in which organisations are tricked into making wire transfers to a third party. They falsely believe it's a legitimate external supplier from overseas.
The scam begins by either compromising or spoofing the email account of an executive or senior manager. This person is able to authorise other employees, such as those in Finance or Accounts Payable, to make wire transfers.
The first part of the scam typically involves either a targeted phishing (cfr. spear-phishing) attack or credential theft through keyloggers. For example, a C-Suite executive may be targeted with a phishing attack that installs a Remote Access Trojan (RAT). This RAT harvests credentials and other useful business information.
Then the account is used to instruct other employees to complete a wire transfer request from a fake supplier. For example, a spoofed or hijacked account of a C-Suite executive may be used to send an internal email. Overseas banks, often in China, are used by the criminals to receive the funds.
Necessarily, there is an element of social engineering involved as the attackers need to convince someone to push the wire transfer through. Social engineering may also be used in order to steal passwords and compromise or spoof the initial account.
How can you defend against BEC?
As we’ve seen above, Business Email Compromise revolves around three interrelated factors: email, people, and wire transfers.Confirm your wire transfers
Your company should always confirm wire transfer requests by some medium other than email: verify the request via a phone call through a known legitimate company number (not one provided in the email). Use a workplace communication channel like Slack. Or even better: confirm it face-to-face in person or via tele-conferencing software.
Ideally, your company should put a policy in place for secondary confirmation for wire transfers such that everyone knows the drill. Demands not to initiate communication through any other medium than email (itself hardly a confidential means of communication) should be treated with suspicion.
Enable Multi-Factor Authentication
Protecting your users email accounts from compromise should also be high on your priority list. Although not perfect, 2FA and MFA will prevent by far and away the majority of account takeover attempts. Hardware security keys like Yubikey and others alike are worth considering for certain use cases.
How to detect malicious emailsHaving a strategy to protect your users against malicious emails is the third, and absolutely vital, pillar of your defensive strategy. Email has long proven to be the malicious actor’s best friend. It’s been estimated that anywhere between 80% – 95% of all enterprise attacks propagate through email. This is definitely where you need to concentrate your efforts.
The actual textual content of an email can be used to socially engineer individuals to take actions. That may be harmful to their own or their organisation’s interest. Apart from this content, there are two main technical risks associated with emails: malicious attachments and links.
Strategies for dealing with malicious attachmentIn Business Email Compromises, attackers may use attachments to run executable code. This code can drop a RAT in order to install keyloggers, backdoors and other post-exploitation tools. They can steal credentials and useful data such as contacts and previous email correspondence. BEC scammers typically spend some time profiling their victims in order to craft content that is as convincing as possible to pull off the social engineering aspect of the scam.
For that reason, it’s important that you look at a range of options for preventing attachments from executing code. Attachment filtering can be used in a number of ways to help mitigate code execution. For example, email scanning software could be used to change file formats of attachments so that they cannot execute hidden code.
While this may be effective to a certain extent, it suffers from the drawback. It may prevent users from carrying out ordinary business tasks with documents that need to be edited or returned in their original format. Given that impact, user-resistance could be high.
A better solution would involve Content Disarm and Reconstruction (CDR), which deconstructs the attachment and removes harmful content. This has the benefit of being both highly effective and meeting low user-resistance, since the process is transparent at the user level.
Dealing with macros, archives and whitelistsIt’s also a wise idea to disable or restrict Macros, as many attacks make use of Microsoft Office’s VBA scripting language to call out to C2 servers and download malicious payloads.
Also, ensure that your email scanning software deals with archives properly. Compressed files can bypass some unsophisticated scanning engines if they do not decompress files fully. Attackers have been known to append archive files to other files like images, which some security software might overlook.
Be careful with (or avoid) whitelisting files by extension: it’s a simple trick for attackers to bypass such whitelisting rules by renaming executable files with non-executable file extensions. If whitelisting attachments is a must, at least use a policy that whitelists by file typing – scanning the file to examine its format – to avoid the easiest of bypasses.
Dealing with links and sender verificationFor emails that contain malicious links, one strategy used by some organisations, is to defang hyperlinks in emails so that they are unclickable. This forces the user to copy and paste the link into a browser, a conscious process that provides an opportunity for users to pause and consider what they are doing.
Again, however, the issue is that whenever security impacts productivity and convenience, you will meet some user resistance. This security measure has the twin drawbacks of being both inconvenient and fallible. Introducing the delay still does not guarantee that the user will not visit the link, so proceed with this policy with caution.
Another strategy to consider for dealing with emails is sender verification, such as through DMARC and SPF/DKIM. These technologies can help flag up fake sender identities (i.e., spoofed accounts), but they may not help if the account belongs to a legitimate member of an organisation but has been compromised by an attacker.
Finally, ensure that you are protected against both malicious attachments and malicious links by arming your endpoints with an AI-driven security solution that can detect and block malicious code as it attempts to execute, regardless of its origin: file or fileless, link or Macro.
ConclusionVerifying wire transfers and enabling multi-factor authentication are simple, effective ways to get ahead of scammers intent on Business Email Compromise. On top of that, consider the practicality of the techniques we’ve mentioned above as part of a layered, defence-in-depth approach.
Business Email Compromise scams target the weakest link: busy staff trying their best to be productive. An automated, behavioural security solution like SentinelOne can ensure that attempts to install RATs, keyloggers and other malware are stopped in their tracks.
If you want to know more about how Tobania and SentinelOne can protect your company from all attacks, please leave your contact details and we’ll get in touch for an open discussion about your security.