Threat Intelligence: Business Email Compromise Attacks

With the onslaught of spam and phishing emails impacting businesses globally, some hackers and fraud actors have started to employ different techniques to ensnare their victims.

Many employees know to be cautious of strange emails from unknown sources. And they know to be skeptical of attachments. But what about emails that look like they are sent from within your business network? Perhaps an urgent request from a colleague out in the field or at another office. Maybe the email domain matches your organization’s, but you don’t know the sender. Or maybe the malicious actors are pretending to be a vendor or third-party supplier seeking payment for a past due invoice. Or even a high-level executive asking you to release client information or approve a payment. These are just a few common scenarios for the Business Email Compromise (BEC) scam.

As these criminals are already within your business ecosystem, they may have conducted reconnaissance on your email traffic to improve the quality of their schemes. They might even have access to your company letterhead, standard processes, rhythm of the business, and other privileged information.

This can make it exceedingly difficult for employees, particularly with many now working from home, to differentiate these risky requests from normal scenarios. So, it’s more important than ever to educate employees and put processes in place to protect against this growing threat.

What is Business Email Compromise?

Business Email Compromise, also known as Email Account Compromise, is a type of scam that uses social engineering, malware, and email fraud to attack organizations. Any company or organization that conducts business online could be impacted. However, BEC scams commonly target those who conduct wire transfers and have suppliers abroad. In these cases, the email accounts of executives or high-level employees, typically those in finance or involved with wire transfer payments, are either spoofed or compromised. They are then used to commit fraudulent transfers, resulting in hundreds of thousands of dollars in losses.

Scammers are quick to evolve and take advantage of shifting behavior. So it was no surprise when they exploited the Covid-19 pandemic by launching their attacks against work from home employees. Authorities have also warned of BEC tactics intended to divert payroll funds. In these cases, the scammers often impersonate employees and ask HR representatives to update their direct deposit information with fraudulent accounts.

These types of attacks have been a growing concern in recent years with evidence pointing to alarming trends as more business activities move online.

The Stats

According to data from the FBI’s latest Internet Crime Report, BEC scams were the most damaging and effective type of cybercrime for businesses in 2019. In fact, nearly 24,000 reported BEC victims accounted for almost $1.8 billion in losses. This is an average of approximately $75,000 per incident. For comparison, phishing complaints averaged $500 and ransomware averaged $4,400 in losses per victim.

Increased Risk

Worse yet, some victims are being hit multiple times with several different types of cybercrime as part of, or during, a BEC incident. Businesses are increasingly falling victim to fraud schemes like this, where a successful business email compromise leads to further monetary losses and exposure. Because these types of scams often do not use malicious links or attachments, they can evade some traditional technology-based solutions.

Employee training and awareness can help enterprises spot this type of scam while experienced professional service providers can provide detailed analysis on those impacted.

BEC Protection Measures

Nevertheless, there are some actions that companies can employ immediately to ensure they are protected from these growing threats. The best thing organizations can do is educate their employees, partners, and suppliers on their business practices and standard procedures. Also, make sure to develop proper controls on payment accounts and invoice authorizations. This will ensure your business has effective processes in place to prevent bad actors from masquerading as managers or other high-level employees.

Furthermore, many business email providers offer specialized tools and threat protections to minimize the threat from BEC scammers. These technologies analyze email headers, suspect email traffic, and mail forwarding rules to root out compromises and ensure business email is defended from outside attacks.

Properly configured business email accounts with secure passwords and endpoints will make it more difficult for bad actors to compromise your systems. 

Threat Hunting

Some businesses may find it necessary to employ proactive threat hunting or threat intelligence gathering to properly secure business networks and devices. Sophisticated threat actors are constantly probing for weaknesses in businesses. So it stands to reason that businesses should remain vigilant as well.

Threat hunting involves scanning device endpoints, gathering open-source intelligence (OSINT), and conducting digital forensics and incident response on any attempted or successful breaches. 

Device Scans

Scanning employee devices and critical business infrastructure is essential when gathering threat intelligence across your business ecosystem. Consider all devices a potential means for attack. Then seek to minimize exposure with robust cybersecurity policies throughout your organization. To ensure compliance with standards, companies may need to reconsider how to handle sensitive data, such as credit card information or medical records.

Information from device scans, as well as paid and open-source online threat databases, will provide a basis for threat hunting teams to identify potential threats to network and data security.

Intelligence Gathering

Open-source intelligence gathering relies on publicly available information. If automated, it can provide a constant stream of valuable data. Meanwhile, any attempted or successful email breaches should be investigated fully. A digital forensics incident response specialist can identify the relevant identifiers and scope of impact. This will help to mitigate the damage and prevent further incidents. 

Online threat actors consistently change up their methods of operation in an effort to throw off defenders. This makes threat hunting feel like a game of whack-a-mole. However, there are a few steps that can be taken in order to best protect against these threats.

Best Practices

Implementing the following best practices will help to better guard against these threats and protect business email systems:

• Create an OSINT gathering process that focuses on specific attributes such as hacked employee email accounts or malware indicators of compromise.
• Set up a secure platform for data collection that meets internal and data security business standards.
• Document OSINT data. Then analyze relationships using a data visualization or relationship analysis application.
• Scrape public websites and social media for metadata that matches desired OSINT attributes.
• Scan the dark web for data related to your brand or customers.
• Develop mitigation and remediation processes for impacted business systems or customers.

Incident Response

The next step is to put robust incident response processes in place. Here are a few recommendations:

• Develop an incident response policy and plan to rapidly respond to cyber incidents.
• Create standard, centralized procedures for incident handling and reporting to relevant parties.
• Utilize automation tactics and templates to quickly gather incident information and respond effectively.
• Build capacity with team training and upskilling where necessary to close readiness gaps.

Armed with robust threat intelligence, digital investigators can follow industry standard recommendations to analyze and learn from collected data. This can help optimize email security settings and block lists to minimize risks in the future. 

Protecting business email and critical systems can feel like a daunting task. However, with proper planning and preparation it doesn’t have to be. Although BEC scams are on the rise, there are many experts and specialized tools available to proactively identify threats and secure systems from compromise.

It’s vital that companies take the necessary steps to prepare and remain vigilant in an increasingly digital-focused business ecosystem.