Business Email Compromises: What Do I Have to Worry About and What Do I Have to Do?
by Brandon Graves, Partner
Business Email Compromises (BECs) have risen by 55% over the last six months. Now, the aggregate number exceeds malware attacks, and organizations with more than 5,000 mailboxes have a 90% chance of a BEC attack every week. The business community has been dealing with BECs for a long time, but several factors have led to a significant increase in the attacks and thus the risk to businesses.
What is a Business Email Compromise?
A BEC typically begins with a phishing email. The email solicits a username and password, often pretending to be a link to a secure file transfer site. In many cases, the phishing email will come from a trusted business partner that has already been compromised themselves. This makes is very difficult for automated phishing defenses and even well-trained employees to detect. The best criminals conduct research before sending the email so that the phishing attack looks almost indistinguishable from a legitimate email.
When a victim provides his username and password, the criminal typically takes several steps. First, the criminal may use the victim’s email account and address book to send more phishing emails. If the victim has access to financial systems or client relationships, the criminal may attempt to exploit these relationships. Finally, the criminal will use access to do research on other targets.
Eventually, the criminal will find a relationship to exploit. The criminal will identify a client or other employee and begin a dialog with them. The criminal will set up a rule in the victim’s email account so that incoming emails from the ultimate target go to deleted items or an archive folder. That way the victim doesn’t see that his account is being exploited. The point of this dialog is to get a wire transfer to the criminal’s account. This may involve changing invoicing instructions to a client or wiring instructions to a subordinate employee. In the worst case, this can result in a client sending payments for several months to the criminal’s bank account.
Sophisticated criminals will spoof phone calls to confirm changed wiring instructions. Some can even get around multi-factor authentication. Often times, these schemes go on for months before they are discovered.
What do I do about this?
BECs are more and more common, but some simple steps can block the majority of them. No defense is perfect, however, which means that you need to know how to recover.
How do I prevent it?
There are a number of ways to prevent—or in some cases prepare—for a BEC.
The first thing to do is to make sure you have multifactor authentication enabled and enabled properly. This can help prevent criminals from accessing systems remotely with stolen user name and password. Many insurance companies now require multifactor authentication for cyber insurance policies for this reason.
Next, ensure employees are receiving adequate training, both on phishing and internal procedures. One favorite tactic of criminals is to hijack a senior executive’s email and browbeat a junior member of the finance team into an emergency wire. If that junior member is well trained on internal procedures (and those procedures call for it), then the junior member will confirm the wire with a phone call or a second authorization. That will both prevent the wire transfer and discover the compromise.
Of course, that only works if you have adequate procedures. You should review those procedures to make sure they are proof against BEC or other forms of social engineering. This can include notifying your clients that wiring instruction changes will be validated by a phone call. In addition, you should have a policy for how you respond to a BEC.
Confirm your monitoring and log monitoring tools. The default log retention for Office365 is 90 days. This is generally too short to determine what the criminals did with their access, which can have legal consequences. Because Microsoft’s SaaS office platform has been such a common target for these attacks, Microsoft is increasing the log storage and log review tools provided by default.
How do I recover?
If you’ve had a BEC, time is of the essence. If you have insurance, you will want to put them on notice. The insurer will attempt to control the process, but it is important to understand that you have different objectives than the insurer. I would never recommend using an insurer’s captured forensic firm, but many insurers push that solution, especially for BECs. Getting a preferred vendor on your policy is an option (this applies to preferred law firm as well!).
You should also discuss the issue with well qualified legal counsel. In the case of a mistaken wire, there are options available to recover those funds in some instances, but the case law if inconsistent and decisions made early can impact your ability to recover. In addition, the cyber security lawyer can help you understand legal obligations that you may have as a victim, can interface with law enforcement, and potentially keep some of the investigation privileged.
You will also need to get a forensic firm involved, although that should be through your lawyer. Some of the leading forensic firms will not take on BECs because they are considered commodity work. There are still plenty of excellent firms that can assist, but there are firms that will make the situation worse. The forensic firm will help identify the scope of the intrusion, identify any backdoors left behind, validate configurations, and recommend additional security measures.
Attempted BECs are an inevitable occurrence for every organization. Not all of these attempts are even targeted, so even the smallest organizations are at risk, including non-profits. To avoid significant losses, organizations need to implement basic security measures. But even after implementing those measures, organizations need to know how to respond should they be a victim.