Protecting Your Organization Against Business Email Compromise Attacks

According to the FBI’s 2019 Internet Crime Report, annual losses from BEC attacks totaled $1.7 billion in 2019. In 2021, these attacks accounted for half of all cybercrime losses in the United States, making BEC the most dangerous cyberthreat for causing financial damage.

BEC attacks have in the past spoofed the email accounts of CEOs and other high-ranking officials to persuade staff to transfer payments to criminals’ accounts. As time went on, customers, HR departments, and even tax officials became targets. While the objective is still the same, threat actors are now attempting to trick victims into purchasing gift cards, diverting tax returns, and even transferring millions of dollars in hardware and other equipment into their possession.

BEC attacks, like typical phishing efforts, frequently target current events or areas of public interest. And, of course, one of the hottest topics these days is the coronavirus. During the first two weeks of May 2020, COVID-19-related cyberattacks increased by 30%, with many of them including email frauds. In a number of cases, government organizations and medical facilities seeking to purchase equipment unwittingly paid funds to cybercriminals, only to realize later that the equipment did not exist and that their funds had been stolen.

Because gift cards don’t require bank accounts or direct payment transfers, they’ve become a popular means for fraudsters to steal money. These cards can easily be sold for roughly 70% of their original value on the internet. Scams involving gift cards are especially common over the holiday season, with crooks exploiting cards from Google Play, eBay, Target, and Walmart.

The attackers use a method to spoof the source’s email address, which is simple to perform because the SMTP protocol provides no effective mechanism to validate a sender. To send emails with a forged address, criminals use specialized or public SMTP servers.

In another method, criminals get control of the email accounts of the persons they intend to mimic through phishing, credential theft, or other means. They can then send emails from the actual account to give the request for funds more authenticity.

In yet another method, the attackers register a domain name that is identical to the one they want to spoof and send email from it. In contrast to the legitimate name of xyz.com, the registered domain may be xyz.co.

A US defence contractor was duped into mailing materials for a false order for over $10 million in 2019, including $3.2 million in sensitive communications spying equipment. The attacker utilized a fake Yahoo email account ending in “navy-mil.us” to create a bogus purchase order. The equipment was transported and received, which fortunately led to the identification and arrest of the swindler. Nevertheless, the attacker was well-versed in how to set up an email account, who to contact, how to design and draught a purchase order, and what equipment to specify.

In another case, the attackers entered and watched three financial firms’ Microsoft 365 accounts. The criminals diverted certain emails to these false sites after building lookalike domains for these organizations and their partners, accounts, and banks. The campaign’s organizers were able to request and receive more than $1.3 million in money transfers using this type of “man-in-the-middle” method.

AMSAT recommends the following advice to help your organization and workers defend against BEC attacks:

• Safeguard your email traffic with at least one layer of a cutting-edge email security solution from a recognized vendor. Niche players and open-source solutions might be quite harmful to your organization’s safety.
• Protect mobile and endpoint browsing with powerful cyber security solutions that block access to known and unknown phishing websites.
• Verify any changes to account details or wire instructions with two-factor authentication.
• Educate your end consumers on a regular basis. When doing irreversible acts like money transfers, elements of the transaction must be validated through other techniques such as voice communication rather than relying just on information from email correspondence.
• Check any message for the complete email address and be wary of hyperlinks that may contain misspellings of the actual domain name.
• In response to a text or email, do not provide login credentials or personal information.
• Monitor your bank accounts on a regular basis.
• Make sure you’re utilizing an email security system that can detect and block advanced attacks.