Most of us are familiar with phishing emails and the danger they pose. However, there is another type of email attack that is possibly more dangerous and specifically targeting businesses. We wanted to give you some notes on what BEC attacks are and how to protect your company.
BEC stands for Business Email Compromise and refers to when hackers gain access to company email, and then use a combination of social engineering and access to fraudulently get money from the company.
This is typically done by spoofing emails to impersonate company leadership. They will gain access, and then monitor email for some time to understand how these requests are made. They will then make a request mimicking typical transactions and ask that checks be deposited, or money wired to a fraudulent account.
I talked with a potential client recently that was looking for a new IT provider after suffering a BEC incident. Their accounts payable representative had noticed some unusual activity on her email account and reported it to their IT provider. They brushed it off, and simply told her to reset her password and everything would be fine. The employee did so and continued to do her work.
It turns out that a hacker had gained access to her account, and even though she reset the password to her email they already had a persistent connection to her computer. This allowed them to easily discover the new password and continue monitoring her correspondence.
This company worked in the oil and gas industry, and it was not uncommon for them to send invoices to their clients that were hundreds of thousands of dollars. After a time, the hacker sent out invoices to many their clients. The invoices were formatted exactly as the company typically formatted their invoices and looked convincing. They spoofed her email so that the invoices were coming from accounting just like normal. They also sent a notice along with the invoices letting them know that their banking information had changed and provided a new online portal they could log into to make payment.
6 of their clients fell for it and initiated wire transfers to pay their invoices. Luckily the change in banking information was flagged by their banks, and 5 out of the 6 were caught. The last transfer of over $100,000 was not caught and went through. That money is gone.
Another BEC Horror Story
An article caught my eye recently about another terrible BEC incident. The headline reads Company Sues Employee for $138,000 in BEC Losses
The story talks about Patricia Reilley. She worked as an accountant for a media company in Scotland. Her boss was out on vacation and asked her for her help to move $200,000 of the company’s funds from one account to another via wire transfer.
Reilly made the requested transfer not knowing that the emails making the request were spoofed and the request was fraudulent. A few days later they realized what had happened and went to their bank to try and recover the money. A portion was recovered, but $138,000 was stolen and was already gone.
Reilly was fired by her employer for negligence, and later sued by the company for damages. Luckily for Reilly the judge ruled that although she was in breach of contract with the company for her actions because of the circumstances she was not personally responsible for the money.
Another example from the news. An Italian company with operations in India was recently bilked for 18.6 Million dollars. This was a much more involved ploy but started the same way with hackers gaining access to company email accounts.
They spoofed the CEO’s email address and tricked the head of Indian operations into thinking that they were working on a top-secret acquisition. They even arranged a series of conference calls to discuss the acquisition and had a voice imitator of the CEO on the call.
They ended up making 3 transfers to a Hong Kong bank that totaled $18.6 million dollars. The bank accounts were opened with fake ID’s and by the time they figured out what was going on the money was gone.
How Can You Protect Your Business?
Here are some great suggestions on how to protect your business taken from a great article on the subject on servertastic
Avoiding Opening Emails From Unknown Parties
The safest way to avoid risk is to not click the email in the first place. Employees should check the address of the sender carefully for any differences that might be a sign of a spoofed address. This could include “l” with “1” or a subtle misspelling that could easily be overlooked.
Links in emails can be disguised using anchor text. You can reveal the true destination by hovering over the link. A box next to the cursor or in the bottom corner of the browser will display the real address the link leads to. Investigate these carefully. Fraudulent links may try to mimic a real address.
Attachments are one of the most common methods criminals use to distribute malware. Unknown attachments must never be opened. Even attachments you are expecting should be scanned by up to date anti malware before being accepted.
Use a Company Domain
Using free web-based emails accounts for your business makes it easier for criminals to spoof your addresses. You should create a company domain and use it for your email accounts instead. Criminals may still try to mimic the address, but diligent employees will be able to spot the inconsistencies.
As well as protecting your business, customers are more likely to trust an email if it comes from a branded email address.
Verify Money Transfers
Creating a procedure for money and data transfers can prevent careless losses. Any transfers should be verified with another member of staff through face to face or telephone call, using previously established numbers. You should not rely on any contact methods suggested by the email, especially if they differ from the norm.
Consider What Information You Are Putting Online
Cyber criminals can use the information you put online to enhance their facades. They use this data to build profiles of employees in preparation for grooming them as part of their phishing attempts. This can include names, addresses, job titles and descriptions.
Posting details about holidays can clue criminals to when key figures will be out of the office. This can present them with the best opportunities to attack. Keep the holiday photos for when you return.
Keeping social media accounts private can prevent criminals from trawling them for data.
Keep Anti-Malware Updated
Using the latest anti-virus and malware technology can catch harmful payloads often distributed by email. Malware is constantly evolving, so it is vital to regularly updated your software to keep up.
Here to help
As always, the security experts at i.t.NOW stand ready to help. We would love to discuss how you can make your network more secure
and prevent threats like BEC attacks from happening in the first place.