As an incident responder, I’ve seen many business email compromise (BEC) scenarios play out. According to a warning issued by the FBI, this type of fraud, specific for targeting companies that conduct wire transfers, is on the rise. Let’s walk through a common scenario where trusting an email can lead to a bad day.
The CEO is traveling, and she needs you to transfer some funds to a new business partner so she can seal a big deal. The request isn’t out of the ordinary. You’re the right person for the task and savvy enough to check that it’s coming from her legitimate email address. The salutation, signature block, and writing style all match. There’s even an inside joke about Nickelback in there.
What you don’t realize is that your boss opened an email about two weeks ago with a cryptic message about encryption issues and invalid certificates, which misled her into giving up her Office 365 account password to cyber criminals. They’ve been reading her old and incoming emails for weeks. They’ve studied her writing style, travel schedule, and how money moves around in your company.
At just the right moment, while she’s out of the office, they’ve sent a perfectly crafted message asking you to wire some money to a bank account they control. However, you don’t know that this email is coming from criminals and not your boss. The numbers add up, and the attached invoice looks fine. When you reply asking for clarification, they respond right away. The CEO is out of the loop. Your responses are being sent straight back to the attacker and then immediately deleted from her inbox.
In the most extreme cases, our team has seen these fraudulent conversations and requests continue for months before they’re detected. We’ve even seen instances where cyber criminals go so far as to coordinate with multiple employees to work out details like intra-fund transfers and waivers to forgo standard processes!
How to Recognize and Respond to BEC
BEC nearly always starts with someone giving up their password to a malicious actor. Typically, criminals target executives and anyone involved with transferring funds. There’s plenty of information out there already about protecting your password, having different passwords for every service (use a password manager), and how to spot a suspicious email trying to get your password (hint: it may even come from a trusted friend or colleague). I want to focus on preventing what comes next, once the email account has been compromised.
First, let’s look at detecting the initial logon of a compromised account. You can prevent this first logon by implementing multi-factor authentication (MFA). A recent Krebs on Security post explains the success Google has had in rolling out MFA and preventing phishing attacks from compromising their user’s accounts. But what if MFA fails and the threat actors gain access anyway?
Your next line of defense is to detect the first logon, which requires logging and monitoring the authentication requests to your email accounts. If you’re using Office 365, don’t assume auditing is enabled by default -- check now!
Once logging is enabled, you can start monitoring for suspicious logons, such as users logging in from another country (pro tip: Nigeria is a top offender for BEC). If you can’t do this type of monitoring on your own, consider subscribing to a service that can like Delta Risk’s ActiveEye Cloud. These services offer analytics to recognize abnormal logons based on IP address, source country, device profiles, and timing.
Let’s suppose all that has failed. The attacker has gained access and has gone undetected. What happens next? The next move is to create inbox rules to automatically delete received messages that may be fraud related. That normally means targeting messages with words like “wire transfer,” “payment,” and “invoice.” They may also delete messages from specific employees, like the CFO or the CEO’s administrative assistant. The purpose of these rules is to prevent the compromised user (e.g., CEO) from noticing the conversations happening behind their back.
But how is the criminal reading these messages if they’re being deleted? They generally have two workarounds. First, they can simply look for the messages in the Deleted Items folder. Sneaky. Another option is to set up a rule to forward all new emails to an email address controlled by the attacker. This has an added benefit of giving the attacker continued access, even if the compromised user changes his or her password.
We can detect these compromised accounts by monitoring for the creation of a suspicious mailbox rule or email forwarding rules. For example, Office 365 has a built-in “Low Severity” policy to alert administrators of new forwarding rules. We can list them all here, but Microsoft provides a whole slew of tricks to recognize compromised accounts in their TechNet post.
Your last line of resistance against BEC is not relying on email for trusted transactions like wire transfers. Ensure your organization’s money-movers understand email is not a trusted form of communication. This includes anyone involved in coordinating or authorizing where and when funds go -- think accountants, payroll, human resources, the CFO, CEO, and your bank.
Demand a second factor of communication, preferably face-to-face or a phone call. One of our customers discovered BEC fraud after an accountant called their CEO at a conference asking for the bank account’s time-based PIN code. The CEO was especially confused when the accountant asked why they were in such a hurry to get the transfer done that day!
- Use different passwords for different accounts and services.
- Implement multi-factor authentication for email accounts.
- Monitor for anomalous logons (e.g., country, IP address, device, and time-of-day).
- Disable or monitor email forwarding rules to external domains.
- Monitor accounts for new inbox rules, especially ones with words like “invoice,” “payment” and “wire transfer.”
- Don’t trust email for coordinating fund transfers. Pick up the phone or implement a more rigorous process.
As the FBI revealed in their public service announcement (PSA), the total losses of BEC incidents has reached over $12 billion globally in 2018. Businesses that handle a high volume of wire transfers through email need to reevaluate this process or quickly adopt some of the prevention, detection, and remediation steps we’ve recommended in this blog.
If you think you’ve been a victim of BEC, our incident response team is ready to help.