Article initially published in: Infosec Institute by Pedro Tavares

Business email compromise (BEC) attacks are widespread and growing in frequency. Due to their simplicity and effectiveness, BEC will continue to be one of the most popular attacks in 2018, with an expected growth to over $9 billion in losses in 2018. According to an FBI report, BEC attacks have become a $5.3 billion industry in the past year alone.14

BEC attacks open doors for cyber attackers to steal money with the help of an unwitting accomplice that is fooled into submitting a wire request to the attackers. BEC requires more than infrastructure and robust security – it requires an educated and security-aware workforce.

The case study outlined below explains how BEC works, and outlines steps businesses can take to prevent similar attacks at their organization.

Step 1: Infiltrating the Ranks



Criminals launching BEC attacks carefully research their victims. Through social engineering attacks, or even through malware, keyloggers or trojans (RATs), attackers obtain access to the CEO’s email from the target company.

In this case, after compromising the CEO’s email through guessing the password by a brute-force attack, the attacker scoured the entire email box for sensitive information and triggered social engineering attacks within the organization to raise money illegally.

There are two important things to keep in mind regarding the CEO’s email commitment:

The attackers initially traced the CEO’s profile and generated a dictionary of words tailored for this attack.

The way to access the CEO’s email account was not the most appropriate. Email access was only achieved through a password. There was no such thing as two-factor authentication (2FA), which made it easier for the cyber attackers. In fact, the email system did not allow this security mechanism.

Later, after a detailed analysis by a security specialist, it was proven the first access to the CEO’s account was achieved 75 days before the attack. During this period, the attacker had enough time to strategize the process that would compromise the company.

Step 2: Contacting the Junior Employee

On Friday morning, around 9:17 am, a specific employee of the finance department received an email from the cyber attacker pretending to be the CEO regarding a secret company acquisition. This employee was in other acquisitions by the CEO, which denotes some knowledge and investigation by the attacker to select the best target.

The email emphasizes the sensitive nature of the deal, making the employee feel special by being included in the CEO’s confidential operation. The email (presented below) explains an attorney working on the acquisition will follow up with the wire instructions.

Later, in an internal statement, the company’s CEO said that “this kind of wire transfer had already been made in the past. However, the employee would always call my cell phone to set up the steps of the transfer.” The CEO believes that the use of an attorney simplified the process for the attacker since the point of “validation” of the transaction was no longer himself but rather a figure impersonated by the attacker.

Step 3: Making Fraudulent Requests through Social Engineering

By 9:45 am, the CEO was out of the office, and the phone was ringing. Business as usual.

The cyber attacker posing as the attorney followed up by phone with the payment details as the original email from the CEO stated he would. The employee contacted said the following about this phone call:

“When I was contacted, the attorney was very clear with me on all that I had to do. He shared that the company was going to make a very important acquisition and the transfer was of an urgent nature. I had no doubt that it was of high priority! There was a background sound, a buzz of people talking. After some time, the attorney gave me the address for the transfer, indicating that he was doing it over the phone because it was the best security policy for these cases. Without hesitation, I made the transfer.”

In fact, these schemes depend on an email request that seems legitimate. They are usually from a real email account (e.g., the CEO’s email account) or one that is so similar that everyone will believe it to be real (e.g., from an email address very similar to the senior business person that the criminal is impersonating — CEO in this case).

Business Email Compromise Defenses & Protection

Warning signs of criminal activity are increasingly undetectable. Schemes are increasingly well-designed and realistic with well-defined targets and well-constructed emails with correct spelling.

When in doubt, ask internally for help on how to double-check the truth of any message you just received. If you see something, say something. Phishers do not just try to trick a user and then give up – they will be persistent contacting other people inside the company until they get lucky. Therefore, the sooner someone raises the alarm, the sooner your security team (even if that is just you!) can let everyone know, and you can close ranks against the crooks.

While some corporate email compromise attacks involve the use of malware, many are known to rely almost entirely on social engineering techniques. Because of this, BEC attacks are rarely interrupted by antivirus, spam filters or mailing list permissions.

Recommended Security Procedures



It is essential that companies educate their employees and that they know how these attacks work — human firewalls are needed. Some security procedures are presented below.

Team empowerment



Employees are the first line of defense against cyberattacks. They need to recognize malicious intent from phone calls, emails and SMS.

Raise awareness



Help employees understand more about the tricks and scams of fraudsters.

Create safe payment processes



For instance, confirm requests for fund transfers when using phone verification as part of two-factor authentication and use known familiar numbers, not the details provided in the email requests.

Strong passwords and 2FA



Strong passwords and 2FA will help protect the security of email accounts.

Register similar domains



Register all domains that are slightly different from the actual company’s domain.

Set up an email gateway



Set up an email gateway to flag keywords such as “payment,” “urgent,” “sensitive,” or “secret.”

Watch out for apparently innocent emails trying to make contact



Look for phrases such as, “Hey, are you in the office today?” or “I’m on the road this week, can you talk to IT for me?,” or “I left my phone in the airport so can you call me on this temporary SIM card I had to buy in [whichever country your boss is visiting this week, as mentioned on your company blog]?”

Sources