Business Email Compromise – Easy for Criminals – Easy To Stop
Before my current role with vBridge, I worked in an industry that was rife with business Email compromises. It was all too easy for the criminals to ply their trade successfully and make significant amounts of money as a result. Sadly, everyone had the tools and capability to stop this happening, but it still carries on.
So, what is a Business Email Compromise (BEC)?
In real simple terms, a user inadvertently gives the criminals access to their Email account through a simple compromise. The compromised account itself is not great, but the real damage comes from what the criminals can do with this access.
The compromise is a simple phishing or similar style of attack. An Email is sent with a link or attachment that, although would have red flags to the trained eye, is probably slick enough to fool your average information worker. The link or file will send you to what looks almost exactly like any normal Microsoft 365 Authentication or similar page. The user enters their credentials (Email address and current password) – and that’s it. The criminals now have access to that Email account as they now have the credentials.
How do the criminals use these compromised Email accounts?
There are many ways that the compromised account can be used. In the industry that I worked in (real estate), the most common attack was to monitor the Email account and look for Emails sent or received with invoices. A common tool used by criminals is to set up Email forwards on the Email account, so they got copies of all Emails without having to continually log on to the account. It also allows them to use automation tools to identify the types of Emails that they can use.
Once a suitable invoice was identified, the criminal sent an Email from the compromised Email account to a customer advising that the bank account number on the invoice was incorrect and that they should pay the money to this other account (the criminals). This worked and worked often – to the tune of millions of dollars per year.
If the criminals are not able to make money directly off the compromised account, they will use it as a base to launch more BEC attacks as the Email account is probably seen as trustworthy – and so the cycle continues.
So how do you protect against this?
It is a combination of technology, business process and of course training your people.
Technology
Setting up Multi Factor Authentication (MFA) is the easiest solution here, yes MFA can be compromised in certain circumstances, but you almost certainly eliminate the risk associated with users inadvertently giving away their credentials. These days MFA is so easy to implement, that there is really no reason to not have it in place.
Block Email forwards to Email accounts outside of your organisation. Whilst this does not stop a BEC, it certainly makes life harder for the criminals.
Remove legacy Email protocols that you do not need to use, or at least only allow them on specific accounts that need them. This is the likes of POP & IMAP etc.
Make use of the additional layers of security that your Email service likely has available. If you are using Microsoft 365 then you probably have more layers of protection available to you than you are currently using – and they are improving all the time.
Ensure you have good backups for your Email, again it will not stop the criminals, but it will help you in your recovery from an incident.
Business Process
Implement policies around your accounts payable and receivable teams. As an example, do not make changes to bank accounts that you pay in to without speaking to the supplier or customer in person and get actual confirmation of the account.
Ensure that your customers and suppliers know that bank account numbers will not change without an official notification.
Do not Email invoices from a standard user account – have dedicated accounts that are used for this and that are not logged in to by staff.
Training Your People
This is a big one. There is a plethora of great training services today to ensure that your staff are getting the appropriate amount of training and active testing. This does not need to be a cumbersome process. Here at vBridge we use KnowBe4, our team are all pretty sharp (as you would expect) at identifying threats – but we still value the ongoing training and ensuring that we are up to speed with emerging threats and compromises that involve human error.
A team that is well trained with good awareness is probably the best defense you can have – it will beat technology and business process every time.
And lastly, cyber insurance is great – and you should have this but be aware that not all policies are the same. Many will expect that you have good practices in place, and you may find that if you do not, you won’t get the payout you expect.
None of the things above will guarantee that you do not get compromised – but they will reduce the risk and make you less of a target, or at worst, reduce the impact of the inevitable.