3 Indicators to Monitor for Business Email Compromise (BEC)

7 min read

A majority of breaches in 2019* were related to compromised emails and/or stolen user credentials, including business email compromise.

*source: 2020 Verizon Data Breach Investigations Report

Cyber crime is up during the pandemic, and the Consulting team at Critical Insight has been responding to security incidents that have been impacted by coronavirus in some way or another. 

From covid19-related phishing email attacks, like the example from the FTC seen above, to suspicious logins from employees working in home offices, we've seen an uptick in email-related attacks, including business email compromise (BEC).

BEC scams have been on the rise this year. In March and April 2020, cyber criminals used BEC techniques, tactics, and procedures (TTPs) to conduct unemployment insurance fraud, stealing hundreds of millions of dollars from states like WA, OH, and CO. Microsoft shared this imposter email on their blog as one of the phishing lures used in this scam.

The latest from the 2020 Verizon Data Breach Investigations Report confirms the majority of breaches (over 67 percent) involve compromised emails and/or user credentials, including this variant of email attack.

And while BEC attacks represent only a small percentage of email attacks, if successful, they carry a greater financial risk because of the substantial dollar amounts extorted from victims. The FBI’s Internet Crime Complaint Center (IC3) reports that BEC scams have cost organizations a total of $26 billion in losses over the past three years.

We’re also seeing more cases where coronavirus is being used to as a tactic to socially engineer victims into falling for these attacks, and that manifests in the form of some pretty specific indicators, explained later in this article.

What is Business Email Compromise?

BEC is when a cybercriminal uses a compromised business email account with the goal of conducting a fraudulent financial transaction with an unsuspecting employee or vendor. It’s been a popular tactic used by individual cyber criminals and organized crime for years, and requires sophistication in social engineering, email delivery, and persistence in achieving the criminal’s intended target. And should the unsuspecting employee do the BEC criminal’s bidding, companies can lose millions of dollars with a few clicks.

Critical Insight has recently observed that a high percentage of new customers have contacted us during an attack in progress to request digital forensics and incident response (DIFR) services following a suspected email compromise. As part of our DFIR service, we help them secure and recover their network and their systems, determine the extent of the breach, and figure out what data was exfiltrated. We then look for process improvements and next steps to prevent reoccurrence and improve email security, including Office 365 cloud monitoring. As part of the computer forensics investigation, we examine all available records of communications between the customer and the attacker. In these cases, initial contact came via email, but the attackers switched to other encrypted communication methods, such as WhatsApp.

BEC Indicator 1: Fake Prospective Customers

One distinct indicator we’ve seen with clients includes cases where the overseas “new customer” turns out to be a non-existent fraud spearfishing for intel to execute a BEC attack. 

The “new customer” may begin negotiations with the appearance of being a new customer, but is actually the puppet of an attacker. These attackers have networks of phishing sites to act as false fronts to initiate various business processes and observe their effects – this method is sort of like a ‘business portscan’. The attackers may also use those sites to send phishing emails with links that download ransomware on the victim’s machine. This technique works well, because they know employees are more likely to open email from a potential customer – especially if a future sale may be possible.

Attackers may use several different puppets to inspect different business processes. Fake suppliers can gather information about the invoicing process while fake clients discover information about persons involved in client sales and invoicing. These puppets gather the names, titles, and contact information of principal employees, as well as copies of email signature images and other assets that will be used later in the BEC scam.

BEC Indicator 2: Requests to Communicate with WhatsApp, IM, Text, etc.

The second distinctive indicator is particularly effective during the coronavirus pandemic, in which every organization has been forced to shift its usual patterns of communication, and requests for different communications strategies with clients and suppliers are not uncommon.

Beware these strange or out-of-band communications requests and be careful to treat links and attachments in these out-of-band requests with a high level of suspicion. Be especially wary of demands to use WhatsApp or similar phone-based messaging apps to communicate. WhatsApp is a major source of one-click attacks for iOS and Android; with a new single-click vulnerability was discovered in the WhatsApp client just last February, it's an easy route into company email by way of an employee’s compromised phone or mobile device. The attacker may insist this is necessary because of the changes in regular processes imposed by the pandemic, or for “faster” or “better” communication.

Instead of using WhatsApp, we recommend using Signal as a secure messaging platform. Designed with security in mind, Signal is open source – guaranteeing code review – and has a lean codebase with a smaller attack surface for vulnerabilities. We recommend using Signal as a secure messaging platform, but nothing replaces a combination of effective mobile device management and a habit of vigilance in dealing with suspect emails and instant messages.

If, as in the example above, the attacker manages to compromise a mobile phone or desktop endpoint, that means they now have the ability to get inside your “decision loop” – the process  you and your organization use to make decisions, including how to respond to potential security incidents. With access to an individual company email account, they can quickly discover the identities of the decision makers and who has signing authority.

Like a hacker mapping a network, then spoofing the computers on it, they could map the inside of your business and even send email posing as legitimate representatives of your company. We have observed some attackers using this technique by sending confusing or contradictory requests to various personnel in the company and observing the results. A sophisticated actor can infer a surprising amount from these interactions and even interfere with attempts to investigate their actions.

BEC Indicator 3: Fake Supply Chain Emails Enabling Recurring Wire Transfers

This brings us to the third distinctive indicator: attackers using the above methods attempting to negotiate entire business agreements between a company email account that they compromised and a totally legitimate supplier with which they have an existing relationship, with the attacker controlling both sides of the conversation. The goal seems to be to have the company order goods from their supplier overseas, then wire money as payment.

The attacker uses their compromised company email accounts to place orders with the compromised supplier, attempt to approve their own invoices, and settle the transaction. At the same time, the compromised account on the supplier side is used to ensure the supplier never sees any inquiries regarding those orders. In some of these cases, we have noticed attempts to gain what could be termed as “persistent” access to company finances, in the form of attempts to arrange multiple regular, ongoing payments. That would then become relatively stable income, at least until the company finally notices it never ends up getting any of its supplies and becomes suspicious.

No business wants to think of its customers, vendors, or partners as a risk, but it is wise for some organizations to be on the lookout for these techniques. The FBI’s list of “red flag” indicators of potential Business Email Compromise attacks is an excellent source to use.

FBI’s List of Top “Red Flags” Business Email Compromise

  • Unexplained urgency
  • Last minute changes in wire instructions or recipient account information
  • Last minute changes in established communication platforms or email account addresses
  • Communications only in email and refusal to communicate via telephone or online voice or video platforms
  • Requests for advanced payment of services when not previously required
  • Requests from employees to change direct deposit information

source: https://www.fbi.gov/news/pressrel/press-releases/fbi-anticipates-rise-in-business-email-compromise-schemes-related-to-the-covid-19-pandemic

Educate the Employees Most At-Risk for Business Email Compromise

You should use the following tips to help prevent users from falling for a BEC scam. These are critically important for those who have budget authority, credentials to access financial accounts, or executive authority.

We recommend advanced security awareness training (SAT) for all executives and staff involved with purchasing, invoicing, shipping, receiving, or any other external-facing business processes on indicators of malicious activity or intent to lower the risk of business email compromise. 

  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the email address and the sender name match.
  • Ensure the URLs within the email are legitimate by hovering over any links before you click on them. If the URL of the link doesn't match the description of the link, do not click on the link.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Be skeptical of last-minute changes in wiring instructions or recipient account information.
  • Do not contact the vendor through the phone number provided in the email; verify any changes and information via the contact on file.

These security awareness tips require both education and user practice; try using free tools, like this interactive phishing quiz from Jigsaw & Google to help employees who are most likely to be targeted for BEC attempts know what they are looking for in a suspicious email request.

Manage Business Email Compromise Risks to the Security Program

Preventing sophisticated BEC attempts begins with managing the risks to email accounts and credentials that lead to BEC attempts in the first place.

  1. Keep your email security tools, processes, and policies updated at all times; ensure users know the policies, train on best practices, and have access to IT support to manage their individual email security and credentials.
  2. Ensure you have an identity management program in place that prevents the combinations of access and privileges that BEC attempts prey upon.
  3. Provide advanced security awareness training (SAT) for users in your organization who have the highest risk for business email compromise (i.e. Finance, C-Suite, Executive Assistants)
  4. Set up a phishing reporting program where users can send suspicious emails (as attachments) to the InfoSec team for further investigation.
  5. Monitor for activities that could indicate an active BEC attack may be underway (e.g. irregular wire transfers to foreign countries), or get 24x7 monitoring from a recognized MDR provider, like Critical Insight, to monitor 24/7/365 for threats to your network and assets.

If you need help building a Security Awareness Training program for your organization, contact Critical Insight’s Consulting team of experts to help you lower your BEC and email-related security risks.