Preparing for the Business E-Mail Compromise That is Coming

3 min read

As you may have read, the City of Seattle experienced a business email compromise (BEC) event that redirected approximately $800,000 in payments to criminals and away from Mary’s Place, a homeless shelter for women and kids.

Apart from the heinous choice of victim, BEC is a common occurrence. Companies and Organizations in the United States lose about $2B per year through crimes like this and local government is routinely victimized.

Here’s a quick primer on how BEC works:

  • On the unsophisticated end, someone sends a fake invoice into a company and the company pays it. Simple enough.
  • More sophisticated: you may get a message from “the CEO” who asks the recipient for an emergency wire transfer or to purchase gift cards – for example to give away at a conference. Lately this involves an initial e-mail message instructing the recipient to provide a phone number for text messaging where the actual request is made.
  • Even more sophisticated variant: This is the type that was used against Mary’s Place and involves compromise of the victim’s e-mail system through phishing, credential stuffing, or just plain guessing (and remember that the most common passwords are notoriously bad). Once the actor has gained control of an e-mail account, s/he will study internal communications and understand the tenor and content of messages to and from a customer, or in this case funding agency. Once able to emulate the employee with the compromised account, messaging goes out requesting a change in bank routing number or other account information that would redirect payment.

This is all a news story at this point, but there’s a situation coming that’s going to ramp this problem way up – specifically in state and local government, and it’s because of the infrastructure bill. Because it’s been passed and signed, we know that grant funding for all manner of projects is being queued for planning and then distribution. State and local government will be contracting all sorts of companies to take on projects. Some of the small contactors are poorly protected from compromise of an e-mail account.

So, we have an easily predicted increase in likelihood of the threat hitting construction and other companies, which are unregulated for security unlike retail, finance, health, etc. We have local governments that are well-known to have been defrauded that will go into a frenzy of contracting just those types of businesses. Seems like we should probably raise a flag and talk about what kind of preparation we need.

Along with educating public employees on how to resist criminal engagement, for example always using contact information on original contracts and not in the signature block of e-mail, it’s instructive to review a page from the federal playbook on procurement. Contractors must demonstrate security controls to the satisfaction of the government, or no contract. And in fact, the original attempt at the CMMC program would prohibit contractors that did not meet an appropriate cyber maturity standard from even bidding on opportunities. That was a bit heavy handed, and the program was recently revised to lessen requirements for small contractors.

However, ensuring that contractors demonstrate minimum standards is no different than what every business is being required to do for cyber insurance coverage. Failure or inability to provide this demonstration may indeed indicate that the contractor carries no cyber insurance – not a good look. The requirement should come as no surprise, and size and scope of the contractor should be considered when making the document requests. For example, if the value of forecasted monthly payments are small and it’s a business with 5 employees, no need to see that ISO 27001 certification. A good scaling would be (from low to high): a) questionnaire to collect data that are relevant (in this example the contractor’s ability to maintain security of e-mail accounts); b) summary details of a recent assessment performed by a third party against a recognizable standard such as the NIST Cyber Security Framework; c) SOC-2 type 2 examination results.

During the procurement process in the public sector, contractors are now routinely evaluated through this type of attestation, although not universally. The procurements coming up to support infrastructure projects also provide an opportunity to also help educate contractors and other vendors on this specific and predictable threat to their businesses. Seeing the public and private sectors working together to minimize loss from the fraud that we know is coming would be a nice demonstration of collectively addressing this crime.