Business email security

Imagine this: it’s six in the evening, you’re wrapping up a few things for work and getting ready to shut down for the day when you get an email in your inbox. It’s an urgent message from the CEO asking you to initiate a wire transfer to finalize a deal with a partner, and it’s needed immediately.

There’s just one problem: it’s not actually from your CEO. It’s an attacker attempting to launch a business email compromise attack.

Business email compromise (BEC) is a low-cost cyber crime tactic that is becoming more common and more effective. These attacks pose a serious risk to companies that manage financial transfers and payments — for example, costs to Canadian companies have been estimated at approximately $33 million since 2016 alone.

The good news is that understanding how BEC works can help you spot suspicious activity early, such as phishing attempts, and avoid a costly attack.

“Business email compromise has cost Canadian companies approximately $33 million since 2016.”

Phishing, social engineering, and typo-squatting: how attackers target businesses and their vendors 

At its core, BEC is a social engineering scam. Cyber attackers pose as company executives, or a company’s third-party vendors and suppliers, to initiate financial transfers to an account attackers control.

But to pose as executives or vendors, they need a disguise. Attackers need access to the right account, or at least credentials that look close enough to the real thing, to make the transfer look like the real deal.

Business email security

These credentials are typically gathered through a variety of other low-profile attacks and tactics that might not immediately raise a red flag with a user. For example, spear phishing is a very common technique used by attackers to target specific users (in the case of BEC, C-suite executives) and uses emails designed to lure them into clicking a malicious link or downloading a malicious attachment.

This typically brings users to a hosted interface designed to look like a genuine authentication interface (such as Microsoft’s, as an example) that then encourages users to enter their credentials by way of a password reset prompt or similar phishing hook. No malware is required, making these attacks incredibly low-cost.

Here are a few other techniques an attacker might use to accelerate their attack or access additional accounts:

Inbox forwarding rules

Email inbox rules let attackers forward all or select emails to an account they control. This can persist even after the password of the compromised account has been changed. Rules might also be created to hide correspondence between the account and other victims.

Lateral movement

When an attacker can “move” between workstations or accounts on a corporate network, they’re engaging in lateral movement. For example, a successful phishing attack on an employee in one department may provide attackers the access they need to target other users in other departments on the network. They may also move on to target further clients, or to target users up or down the supply chain.

Typo-squatted domains

To further their phishing attempts, some attackers use a URL or domain that’s almost, but not quite, identical to a legitimate user or company (such as g0ogle.com) to get users to click through to fraudulent login pages that can then be used to collect credentials. These domains may continue to be used even after access to a fraudulent domain has been lost.

 

How to stay ahead of BEC attacks 

Regardless of how they seize accounts or who they impersonate, attackers will search through compromised accounts to gather additional information to make a BEC attack look as authentic as possible.

That authenticity lends itself to some of the most common attack types:

Invoice payment requests

Attackers may use a legitimate or falsified invoice from one of your vendors or suppliers to request a payment to an account they control.

CEO fraud

As we’ve discussed above, attackers may pose as your CEO (or another high-ranking executive) to request a payment to an account they control.

Legal impersonation

Along the same lines as CEO fraud, in legal impersonation (sometimes called attorney fraud), attackers pose as a lawyer requesting sensitive information or payment as part of their duties or responsibilities.

As discussed, these are all variations on social engineering scams. While these attacks vary in technique and target, there are a few things you can watch for to help identify a BEC attack early and protect your business.

Potential indicators of a BEC attack may include:

  • Spoofed email addresses that use a variation on an executive’s name (Steve instead of Steven) or a domain could indicate an attempted BEC attack.
  • Generic terms or an unfamiliar tone of voice (for example, a formal “Dear Sir” from a co-worker or a dramatic increase in typos) from a contact you correspond with regularly may be a sign an account has been seized by an attacker.
  • Unfamiliar file formats or extensions being passed off as authentic documents, such as a file being named “Presentation.pptx” despite being a different format altogether.
  • Urgent requests to transfer funds or initiate a payment, potentially circumventing company policies and procedures.

Protecting your company from BEC attack 

Taking the time to train employees and staff at all levels of your company can help you spot potential BEC attacks early. Organizations should also consider additional validation methods for invoicing that involve adding verification layers and controls that extend beyond email.

Ensuring your workforce is fully briefed on procedures around invoicing, payments, and financial policies, and what to do if they suspect they’re being phished, can help reduce the likelihood of a successful attack.

But attacks aren’t waiting on you to get into the office.

Monitoring all aspects of your IT network, no matter where work takes place — including cloud services and other remote work assets— can help you identify vulnerabilities that an attacker may exploit or provide greater insight into the source of a suspicious email. With continuous monitoring and automated alerting, you’ll be able to identify threats to your network early and close gaps in your security that could lead to an attack.

“Continuous monitoring and automated alerting let you identify threats early and close security gaps that could lead to an attack.” 

Reach out to us today at cybersecurity@secureits.ca

 

* * * * * *

Lyle Melnychuk is President and CEO of Secure IT Systems, an IT and security consulting firm specializing in cybersecurity consulting, cloud migration and business continuity solutions. For questions about how SIT can help your company be better prepared, contact lyle@secureits.ca or visit our website at www.secureits.ca

 

 

Contact Us
Information Security
|
December 11, 2023

What is InfoSec: The 5 W’s of Information Security

When we describe what we do at Secure Shield almost every time the reply is “so, you mean cybersecurity?” Well, Kind of

Information Security can be confusing to some people. Okay, maybe most people. What is infosec, and why is information security confusing? Well, apart from being compared to “Cyber Security”, maybe it’s because we miss some of the basics. Understanding information security comes from gathering perspective on the five W’s of security: what, why, who, when, and where.

Read More
Information Security
|
November 16, 2023

What Drives Us Crazy: The Blinky Lights Syndrome

When Secure IT Systems decided to move away from the MSP space to focus solely on Information Security, it was to help try to fix a broken information security industry. One of the ways it’s broken is that there are many people and vendors participating in the money grab, trying to sell you potentially ineffective cyber security technology solutions. We call these blinky lights or better known as “The Blinky Lights Syndrome”: high-tech products or services that falsely claim they’ll fix everything for you automatically.

Read More

Our Cybersecurity Frameworks are built around:

    • Schedule a Meeting

    Schedule a time to talk one on one, and find out how we can get the right balance of cloud platforms and traditional IT working together for you.