Imagine this: it’s six in the evening, you’re wrapping up a few things for work and getting ready to shut down for the day when you get an email in your inbox. It’s an urgent message from the CEO asking you to initiate a wire transfer to finalize a deal with a partner, and it’s needed immediately.
There’s just one problem: it’s not actually from your CEO. It’s an attacker attempting to launch a business email compromise attack.
Business email compromise (BEC) is a low-cost cyber crime tactic that is becoming more common and more effective. These attacks pose a serious risk to companies that manage financial transfers and payments — for example, costs to Canadian companies have been estimated at approximately $33 million since 2016 alone.
The good news is that understanding how BEC works can help you spot suspicious activity early, such as phishing attempts, and avoid a costly attack.
“Business email compromise has cost Canadian companies approximately $33 million since 2016.”
Phishing, social engineering, and typo-squatting: how attackers target businesses and their vendors
At its core, BEC is a social engineering scam. Cyber attackers pose as company executives, or a company’s third-party vendors and suppliers, to initiate financial transfers to an account attackers control.
But to pose as executives or vendors, they need a disguise. Attackers need access to the right account, or at least credentials that look close enough to the real thing, to make the transfer look like the real deal.
These credentials are typically gathered through a variety of other low-profile attacks and tactics that might not immediately raise a red flag with a user. For example, spear phishing is a very common technique used by attackers to target specific users (in the case of BEC, C-suite executives) and uses emails designed to lure them into clicking a malicious link or downloading a malicious attachment.
This typically brings users to a hosted interface designed to look like a genuine authentication interface (such as Microsoft’s, as an example) that then encourages users to enter their credentials by way of a password reset prompt or similar phishing hook. No malware is required, making these attacks incredibly low-cost.
Here are a few other techniques an attacker might use to accelerate their attack or access additional accounts:
Inbox forwarding rules
Email inbox rules let attackers forward all or select emails to an account they control. This can persist even after the password of the compromised account has been changed. Rules might also be created to hide correspondence between the account and other victims.
When an attacker can “move” between workstations or accounts on a corporate network, they’re engaging in lateral movement. For example, a successful phishing attack on an employee in one department may provide attackers the access they need to target other users in other departments on the network. They may also move on to target further clients, or to target users up or down the supply chain.
To further their phishing attempts, some attackers use a URL or domain that’s almost, but not quite, identical to a legitimate user or company (such as g0ogle.com) to get users to click through to fraudulent login pages that can then be used to collect credentials. These domains may continue to be used even after access to a fraudulent domain has been lost.
How to stay ahead of BEC attacks
Regardless of how they seize accounts or who they impersonate, attackers will search through compromised accounts to gather additional information to make a BEC attack look as authentic as possible.
That authenticity lends itself to some of the most common attack types:
Invoice payment requests
Attackers may use a legitimate or falsified invoice from one of your vendors or suppliers to request a payment to an account they control.
As we’ve discussed above, attackers may pose as your CEO (or another high-ranking executive) to request a payment to an account they control.
Along the same lines as CEO fraud, in legal impersonation (sometimes called attorney fraud), attackers pose as a lawyer requesting sensitive information or payment as part of their duties or responsibilities.
As discussed, these are all variations on social engineering scams. While these attacks vary in technique and target, there are a few things you can watch for to help identify a BEC attack early and protect your business.
Potential indicators of a BEC attack may include:
- Spoofed email addresses that use a variation on an executive’s name (Steve instead of Steven) or a domain could indicate an attempted BEC attack.
- Generic terms or an unfamiliar tone of voice (for example, a formal “Dear Sir” from a co-worker or a dramatic increase in typos) from a contact you correspond with regularly may be a sign an account has been seized by an attacker.
- Unfamiliar file formats or extensions being passed off as authentic documents, such as a file being named “Presentation.pptx” despite being a different format altogether.
- Urgent requests to transfer funds or initiate a payment, potentially circumventing company policies and procedures.
Protecting your company from BEC attack
Taking the time to train employees and staff at all levels of your company can help you spot potential BEC attacks early. Organizations should also consider additional validation methods for invoicing that involve adding verification layers and controls that extend beyond email.
Ensuring your workforce is fully briefed on procedures around invoicing, payments, and financial policies, and what to do if they suspect they’re being phished, can help reduce the likelihood of a successful attack.
But attacks aren’t waiting on you to get into the office.
Monitoring all aspects of your IT network, no matter where work takes place — including cloud services and other remote work assets— can help you identify vulnerabilities that an attacker may exploit or provide greater insight into the source of a suspicious email. With continuous monitoring and automated alerting, you’ll be able to identify threats to your network early and close gaps in your security that could lead to an attack.
“Continuous monitoring and automated alerting let you identify threats early and close security gaps that could lead to an attack.”
Reach out to us today at email@example.com
* * * * * *
Lyle Melnychuk is President and CEO of Secure IT Systems, an IT and security consulting firm specializing in cybersecurity consulting, cloud migration and business continuity solutions. For questions about how SIT can help your company be better prepared, contact firstname.lastname@example.org or visit our website at www.secureits.ca