A Recipe for Exploitation 

While email compromise is nothing new, the pace and complexity of attacks have drastically increased in recent years. Criminal profiteers have capitalized on the remote and hybrid work settings many businesses have created and have realized that financial fraud can be applied on scale and be highly lucrative. Remote and hybrid work have increased many organizations’ attack surface area as the level of face-to-face and one-to-one communication among workers has decreased. This combination has made business email systems a desirable target for threat actors. 

From 2017 to 2021, FBI Cybercrime data recorded almost 3 million total complaints resulting in business losses of $18.7 billion – with $6.9 billion in losses in 2021 alone – and the numbers have risen year-over-year for the past decade. At the top of the list of crime types and resulting losses is Business Email Compromise (BEC) with nearly $2.4 billion in business losses in 2021. While BEC has been traditionally defined as a broad term encompassing multiple forms of email attacks (such as malicious attachments or exchange exploits), the threat landscape has evolved, and businesses must take new steps to defend their environments. Strong preventative technical controls and employee awareness remain the best defenses. 

The Anatomy of an Attack 

There are notable exceptions; however, the majority of BEC activity is orchestrated by criminal profiteers with the goal of leveraging fraudulent schemes to steal money. Often in the form of counterfeit vendor payments via accounts payable or other finance department fraud, these criminal profiteers typically follow the same general timeline and approach. After identifying an accounting department target and an authority (usually CEO or CFO) within a company, they will breach the authority’s email account by defeating weak authentication controls, such as weak passwords and/or multi-factor authentication (MFA). The attackers then groom the target by sending phishing emails and/or telephone calls to persuade the target that they are conducting a legitimate business transaction. Once the victim is convinced that the transaction is genuine, wiring instructions are sent for funds to be sent to a bank account controlled by the criminal profiteer. Again, the remote and hybrid work environment expedited by the pandemic has made this scenario even easier for these threat actors. The victims generally trust that their business email correspondence is protected and secure, and the checks and balances once provided by in-office interaction have been greatly diminished. 

Strengthen Identity Management 

Even with growing awareness of the rise of cyber-attacks and the potential for enormous financial loss, many organizations are not leveraging existing technology to expediently detect intrusion. Microsoft noted in December 2021 that just 22% of its customers using its cloud-based identity platform, Azure Active Directory (AAD), had implemented strong authentication controls like MFA. One easily implemented key technical control is the strengthening of authentication controls, which means enforcing MFA. MFA solutions should not include the softer “push” requests, and organizations should enable MFA location and number matching. Additionally, legacy (older or outdated) authentication protocols for Exchange should be permanently disabled, and password expiration should be strictly enforced. 

Harden Payment Approval Processes 

Implementing multiple employee approval requirements, as well as limiting the number of employees who are authorized to initiate and approve transactions, helps to limit the impact of a BEC. When the accounts payable person can no longer stick their head inside the CFO’s office to confirm an odd transaction, or the CFO is on vacation (which the threat actors know about because they also have calendar access), having a multi-employee approval process is an essential control. 

Configure Email Defenses 

Modern email solutions have inherent weaknesses that need to be hardened. Businesses should understand the mail flow of business emails and enforce strong technical controls, including a comprehensive review of their delegation and account permissions. Hardening of controls in business email systems can also be achieved by configuring the email platform to prohibit MX gateway bypass and username enumeration, as well as by disabling or restricting Exchange Web Services (EWS) access. Inbound email controls include rigorous filtering of attachments and URLs, and prohibiting macros in documents and spreadsheet files. Savvy IT departments should take heed of these recommendations and make protecting their business email systems a priority. 

Check for Symptoms Through Employee Awareness and Training 

Your employees should be instructed to watch for symptoms of an attack; every employee can function as a security officer if trained properly. Traditional employee awareness programs fall short of preparing employees to combat malicious requests as the content exchanged is highly relevant and cues can be non-existent. Businesses should educate their employees that phishing emails are no longer easy to spot, and that they should take an analytical approach to any suspicious activities. Missing email messages, emails with slightly incorrect details or misspellings, the creation of new email folders or email mailbox rules, unusual email addresses, or emails being forwarded outside of the organization are some of the activities to watch for. Red flags include out-of-band questions or comments in an email that do not make sense, and unexpected MFA requests. Employees should watch for unusual sign-in events or unexpected employee statuses (i.e., a colleague is active at unusual hours while also out of the office). 

While email compromise is by far the preferred approach by criminal profiteers, there are isolated cases where fictitious vendor phone calls have been used. Employee training should include this scenario, and employees should be instructed to verify the purpose of any suspicious call and trained to not trust the caller. 

React Quickly to an Incident 

Businesses should implement a clearly defined process for reporting suspicious incidents and dedicate resources to be on call. Remember, vigilance is key and – as with any suspected crime – a good rule to follow is “if you see something, say something.” If an incident is detected, there are critical steps that should be taken to eliminate threat persistence. Along with contacting your BPM team for an incident assessment of the situation, you should contact the FBI’s Internet Crime Complaint Center (IC3) Recovery Asset Team (RAT). The RAT can act quickly to mitigate the situation through its access to every financial institution in the world. The team has achieved an impressive success rate in freezing funds and keeping them out of the hands of criminal profiteers. 

Make Cybersecurity Part of the Conversation – and Join Ours on September 29th 

With the cybersecurity threat landscape worsening, businesses need to balance convenience and user satisfaction when implementing stronger technical controls and heightening employee awareness through training. Businesses should make cybersecurity part of the conversation and ensure that they thank employees, customers and business associates for any inherent inconveniences experienced while implementing information security improvements. 

BPM’s David Trepp will take a deeper look at the issues surrounding BEC and the steps businesses should take to mitigate risk. Join David on September 29, 2022, from 10 a.m. to 11 a.m. PT, for a webinar entitled, “The Rise of Business Email Compromise – And How to Combat It.” Attendees will receive 1.0 hour of CPE credit (Information Technology). Register here.