Email-borne scams have existed for almost as long as email has existed. As organizations and security vendors move to protect against common variants of phishing attacks, cybercriminals always seem to stay one step ahead by adapting their techniques to bypass any security measures in place. The latest variant of email scams plaguing organizations hide their complex machinations under a veneer of simplicity. Let’s talk about Business Email Compromise (BEC).
BEC is a scam where financially motivated adversaries trick executives and employees into making payments to fraudulent accounts. Scammers accomplish this by using a variety of techniques such as impersonation, social engineering, and exploiting trusted relationships to trick users into parting with money or data. In 2019, the FBI Internet Crime Complaint Center (IC3) received over 23,000 complaints about BEC and Email Account Compromise (EAC) with adjusted losses of over $1.7 billion.
In this article, I will look at how a typical BEC attack works, highlight common techniques used by cybercriminals, and provide security hygiene tips that organizations and individuals can take to protect against these attacks.
A typical BEC attack
Since BEC attacks don’t need any advanced tooling or tradecraft to execute, they are present in many forms, with the level of sophistication depending on the motivation and ability of the adversary. Here’s how a standard BEC attack runs its course:
Research targets: BEC attacks are usually targeted at executives or employees authorized to make payments on behalf of their organizations. Attackers mine public data and perform reconnaissance to build a profile of their target organization and zero in on their victims, whether it’s a CEO or someone on the accounts payable team.
Set up the attack: Unlike mass phishing attacks that follow a ‘spray and pray’ approach, BEC attacks have a facade of believability about them. Adversaries prepare for the scam by performing activities such as setting up spoof/lookalike domains, impersonating known brands, or taking over a legitimate email account of the victim’s colleague or a known vendor.
Execute the attack: The actual BEC attack can be one email or an entire thread, depending on the thoroughness of the adversary. This email uses persuasion, urgency, and authority to gain the victim’s trust before requesting that payments be made to a fraudulent account.
Disseminate payments: Once the money is wired to the attacker, it is promptly transferred out and disseminated across multiple accounts to reduce the chances of traceability and retrieval. Response times are critical for most security incidents, and the same holds true for BEC attacks - if organizations are late to identify a BEC attack that has been successfully executed, it’s likely that the money isn’t coming back.
Tools of the trade
Since BEC relies heavily on social engineering, there is no highly technical tradecraft involved. The easily accessible and repeatable nature of these techniques only serve to make BEC more popular among attackers. I list some common techniques here:
Exploiting trusted relationships: In order to get victims to take quick action on the email, attackers make a concerted effort to exploit an existing trusted relationship. This can take many forms such as a CEO requesting iTunes gift cards, a vendor requesting invoice payments, or an employee sharing new direct deposit details for payroll purposes.
Replicating existing workflows: An organization and its employees go through an endless number of business workflows every day. These workflows often rely on automation, and the more times employees are exposed to them, the quicker they execute on these workflows from muscle memory. BEC attacks try to replicate these workflows to get victims to act before they think. Compromised workflows include password reset emails, emails pretending to share online files and spreadsheets, and emails from apps asking users to grant them fraudulent access.
Fake attachments: Attachments in email attacks are often associated with malware, but attachments used in BEC attacks forego malware in exchange for fake invoices and other social engineering tactics that add to the legitimacy of the conversation. These attachments are lures rather than the final payload.
Socially engineered subject lines and content: BEC emails often use subject lines that convey a sense of urgency or familiarity, and aim to induce quick action. Common terms used in subject lines include ‘Request’, ‘Overdue’, ‘Hello FirstName’, ‘Payments’, ‘Immediate Action’ etc. The email content follows along the same vein of trickery, with content that pulls strings to make specific requests. Instead of using phishing links, BEC attacks use language as the payload.
Leveraging free software: Attackers make use of freely available software both to lend BEC scams an air of legitimacy and to help emails bypass security technologies that block known bad links and domains. SendGrid is used to create spoofed email addresses. Google Sites is used to stand up phishing pages. Google Forms and Docs are used to extract sensitive information from victims. Box and Google Drive are used to host 0-day phishing links and fake invoices.
Tips to stem the BEC tide
Here are some tips and best practices organizations can follow to contain the frequency and impact of BEC attacks.
Enable MFA on your accounts and workflows
Enabling multi-factor authentication (MFA) will greatly reduce the likelihood of accounts being compromised and used to cause further damage. At the very least, organizations should ensure that VIPs, employees with the authority to initiate payments, and administrator accounts have MFA enabled.
In the age of remote work, it’s also important to create your own means of authentication when none exist. If you get a suspicious email from a known vendor asking for an invoice to be urgently fulfilled, text or call the vendor to confirm that they sent the email. A few extra seconds of caution here can help avoid lots of strife later on.
Don’t rely solely on native email security
A remote human perimeter has accelerated the adoption of cloud email by organizations, enabling them to simplify email delivery and reduce reliance on Secure Email Gateways (SEG). Office 365 and G Suite have improved their native email offerings in recent years, providing good anti-spam and anti-malware protection. However, native security from cloud email providers should form the base - and not the entirety - of your email security stack.
Conduct a thorough audit of your native email security capabilities to find out what you’ve already invested in. Microsoft recently launched an Office 365 Configuration Analyzer service free of charge, which will recommend the right configurations for native O365 email security policies, helping override rules and policies that give organizations lower protection. Once you’re clear what your native email security can and cannot do, make a plan for augmenting these built-in capabilities with security layers that are purpose-built to stop BEC attacks.
When reading emails, be skeptical by default
This advice is much easier said than done. As covered in this article already, BEC attacks do whatever they can to get victims to act before they think, relying on them being too busy (which they probably are) to engage with the email rationally. Reading every email rationally is an onerous burden to place upon employees, but there needs to be some starting point.
Be skeptical of deadlines given at short notice in emails that involve the transfer of money or sensitive information. Be wary of unusual purchase requests, even if they come from people and entities you trust (e.g. iTunes gift cards). Payroll teams should keep an extra careful eye on emails from employees sharing new direct deposit details. Accounts payable teams should have additional lines of authentication in place whenever vendors share new banking details for invoice fulfillment.
The surface-level simplicity and ‘anyone can do it’ nature of BEC attacks mean that they are here to stay. Organizations and employees need to evolve their mindset, processes, and security technologies to keep abreast of the BEC threat.
Arjun Sambamoorthy, Co-founder and Head of Engineering, Armorblox