Business Email Compromise and the Importance of Being Earnest

By Justin Silbert.

Business Email Compromise (BEC), along with all cyber crime, is continuing to thrive.  The FBI is now estimating that the cost of BEC has reached $12 billion since October 2013 and the losses continue to grow.  When talking about financial cyber crimes, BEC is one of the simplest and most effective scams.  Simply put, BEC is an attack method wherein attackers utilize hacked or spoofed email accounts to trick people into sending them money.  Instead of stealing data and then selling it on the dark web, attackers are streamlining the process and convincing the victims to wire them money directly.

In many cases of BEC, the attackers impersonate the CEO or CFO of a company and request the Controller or accountant to wire money out to a third party.  Sometimes the emails are spoofed, but other times, the emails may actually be coming from the executives real mailbox, in which case the employee has little reason to be suspicious.  Other times, the attacker may impersonate a vendor or other partner, requesting money for an unpaid invoice. A growing target for BEC is real estate transactions. Buyers of a home can be easily tricked into sending their down payment to the wrong escrow account through a well executed email or phone call.  The email or phone call will always seem legitimate. But once the money is gone, it is not easy to retrieve. In addition to the buyers, all parties of the transaction are being targeted. The implications are scary. If the attackers can hijack a title company email, all clients are at risk.

The targets are not limited to a specific industry or subset.  Many times, attackers will indiscriminately target thousands of email addresses and then focus in on those that got hooked.  Then it’s a matter of figuring out how to manipulate them into transferring money.

Image attributed to FBI.gov

While the threats are growing, general awareness is getting better too.  We are improving our ability to detect scams, and yet, the cost continues to grow.  We need to continue user training to be earnest and circumspect at all times. But there are also a few other things we can do to combat the threat.

First, ensure the all your users are implementing two factor authentication for remote or cloud logins, especially to email.  This is a very effective security control you can put in place, as it ensures that the only person able to log in has possession of the specific phone or token.

Second, if something seems questionable in the least bit, always verify through other means.  If you receive an email requesting wire transfer, pick up the phone and call the sender. If you receive a phone call, verify in person or through email.  The same applies to phishing emails. Don’t click the link. Instead, open up a new browser session and manually type the website URL.

Third, be sure to foster awareness among all stakeholders with notification and response procedures.  Whether internal staff, Board of Directors, third-party partners, or customers, everyone has a part to play in preventing cyber threats.  Warn your stakeholders of the risk and provide organizational procedures. For example, when I purchased my house, the title company sent me a letter explicitly stating that I should verify with them directly if I received any contact about a change of account.

While much of the above is foundational and not-so-new advice, it is still relevant more than ever.  The attackers continue to be successful in the face of our defenses. We need to implement the fundamentals so that we can establish more mature defenses.

Overall, the best defense of BEC and other attacks is a comprehensive cyber security program.  Ensure that you have an experienced and qualified security leader, working toward protecting the organization.  Contact LEO Cyber Security to talk about our Virtual CISO service for combating BEC and other threats.

Justin Silbert brings a wealth of knowledge and experience from DOD and Civilian world. As CISO of what is now the Walter Reed National Military Medical Center, he managed cyber security as the hospital transitioned into the nation’s most important Joint Military Medical Facility. His expertise focuses on applying sound security practices across a spectrum of systems and environments, from certified medical devices to shared research systems. Through his work, his goal is to improve the health of organizational leaders, by providing a cyber security program that allows them to sleep better and worry less.