In our “cyber threats” series, we’ve covered three areas so far: a round-up of what the Australian Cyber Security Centre (ACSC) considered the biggest threats in 2019-2020, and then closer looks at phishing and ransomware. In this post, we’re going to put another damaging attack under the microscope: business email compromise.

In 2016, a financial department employee at Austrian aerospace manufacturer FACC got an email from their CEO. It was a request to transfer 50 million euros to an account for a new project.

The employee did as asked… and the proverbial hit the fan, for one big reason.

The email from the CEO didn’t actually come from the CEO.

It was part of a cyber crime known as business email compromise (or BEC), where cyber criminals infiltrate an executive’s email accounts to trick the business into wiring money to the wrong account.

(There are other types of BEC, which we’ll get into in a minute.)

Although the company belatedly realised what happened and clawed back 10 million euros, the other 40 million vanished into the ether.

Business email compromise is a huge problem throughout the world, including Australia. According to the ACSC, there were 4,255 reports of BEC fraud from Australian businesses across 2019-2020, which added up to losses of over $142 million (and these were just what was reported).

But what is BEC beyond another type of email scam? More importantly, what do you have to watch out for, and how do you stop a business email compromise attack emptying your bank accounts? Well, that’s what we’re covering today...

What is Business Email Compromise?

Also known as email account compromise (or EAC), a business email compromise attack is where cyber criminals use email to defraud a company of their money or goods. While email is usually the channel these attacks come through (hence the name), they can also pop up through text message or even social media messaging.

While the “CEO Fraud” you read about in the introduction is perhaps the most common type of BEC, there are actually three main types of attacks.

The Fake Executive - Firstly, cyber criminals identify an executive they can use as the “vehicle” in their scam. They’ll then infiltrate that executive’s email account and request a fake invoice to be paid, or request a change in a worker’s bank details (along with money to be wired through to the new details). Alternatively, they may try to impersonate the executive without hacking their account, but the goal is the same: get someone inside the company to wire them money.

The Fake Invoice - Once cyber criminals have an email account with access to invoices, they edit contact and bank details on those invoices. They then send the invoices to customers through the compromised account, and those customers inadvertently send money directly to the criminals.

The Fake Customer - This one doesn’t involve email infiltration. Criminals register a domain using a name very similar to a large known and well-trusted company. They then impersonate that business by sending an email to the target requesting an order for goods such as laptops or other valuables the business sells. The criminals negotiate for the order to be delivered prior to payment (and to a specific location), however the actual invoice is sent to the organisation the criminals were impersonating.

 

Why A BEC Attack Is NOT A Technology Problem! That might sound a little weird, but let me explain. Yes, cyber criminals do have to use tech to gain access to their target’s email account. However, business email compromise relies on two bigger elements:   Social Process Social: Many companies will proudly talk about their executive team, whether on their website, social media, or even emails. But in their effort to be transparent, they give away too much information… information used by cybercriminals to pinpoint a likely executive to target (along with a network that person would know). And of course, the more easily accessible data they can get their hands on, the better the criminal’s chance of sneaking the business email compromise past the company’s guard.   Process: The very idea of a BEC attack rests on taking advantage of poor controls around how a business moves money. For example, businesses that will make a funds transfer based on a single email request from the CEO is the perfect target. Having ways to validate payment requests is one measure a business can use to stop a successful BEC attack.

How Does Business Email Compromise Work?

While hacking into an email account is one of the main ways to launch a BEC attack, it’s not the only option open to cyber criminals. Here are three methods a criminal can use to do business email compromise.

 Email Takeover

This means gaining access to an email account to launch the attack.

 1. Research. Cybercriminals identify a likely business, then go to work finding out as much as they can about the business. This might include key people, the chain of command, and even when certain executives are travelling (their chances of pulling off the BEC is increased when the "sender" isn’t around to be directly questioned).

 2. Securing Credentials. To send an email from an executive's account, they need email login details. To get those, they'll use a spearphishing email. These emails aim to do one thing: get that person to visit a site specially set up for the scam and enter their email details. They might also use malware to intercept credentials they can then use.

 3. Send The "Request". Now that they have access to the executive’s email, they might spend a little time learning how the target writes so they can mimic the style. Once they’re familiar with this, they send an email to whoever handles finances and asks them to:

1. Pay an invoice that has the criminal’s bank details on it
2. Transfer funds directly to the criminal’s accounts

Email Impersonation

Impersonation doesn’t require the same technical savvy as an email takeover, but can be just as effective.

To impersonate an email account, criminals use ever-so-slightly different email addresses. For example, [email protected] vs [email protected] may not be immediately noticed by receivers, especially if the criminal can faithfully recreate other elements of the message. If done well enough, the receiver may not realise their error until it’s too late. 

Email Spoofing

This type of BEC is more sophisticated, as the criminal modifies their email’s envelope and header (communication-related data and metadata about the email) to make it look like it comes from the business’ internal domain.

Like the email impersonation, the attacker still has to recreate other elements of the message (such as the tone and signature) if this kind of attack has any chance of succeeding.

 

What To Watch Out For With BEC Attacks A business email compromise is never going to advertise it’s taking place, but there are suspicious signs you can watch out for...   Wire transfer? In this day and age of Paypal, Stripe, and ever easier direct transfer, wire transfers may be a little dated. But for some reason, they also appear to be a preferred method of transferring funds from a target, so a request for a “wire transfer” may raise a red flag Who’s asking? If an email from an executive pops up asking for an invoice or transfer to be made — especially from someone who doesn’t normally ask this — it’d be wise to check things out first. It could also pay to examine the email address, as this might be an impersonation. Gift cards? A more recent “innovation” from cybercriminals, requests for gift cards as payment have become popular (which in itself would be very odd 99% of the time). The reasons: gift cards can be as good as cash for the criminals and even faster to transfer. Right now! A common theme to a BEC message is that the payment needs to be done now. So if an email or request states how urgent this is, that might be the moment to slow down and make sure everything’s above board.

How To Prevent A Business Email Compromise Attack

Naturally, you can’t detect BEC threats before cybercriminals try to infiltrate your systems. However, you can strengthen your business in ways that not just reduce any tech-related holes, but also plug process and social vulnerabilities too.

Stay vigilant

Having everyone in the entire organisation keep their eyes open for suspicious emails, text messages, or social media messages is a first and obvious step. Phishing is a popular way of getting email credentials, which can be an early phase of a BEC attack. (Get the full story on phishing right here.)

Staff awareness

There are two reasons executives are the prime target of a BEC. The first is they’re the ones with the authority to make transfer requests. The second: they often have accounts with high privileges or access to sensitive data. So, while they might say they have better things to do than take security awareness training, it’s an important measure that could save the company from a crippling BEC attack.

 Use multi-factor authentication

Put simply, multi-factor authentication (MFA) means employees use two (or more) ways to authenticate their credentials when accessing email or other systems. Typically, one of these is a password, but the other can be any number of security controls:

• Smartcards
• One-time PINs (OTP)
• Mobile apps
• Biometric measures like fingerprint or retina scanners

Red alert!

Sometimes you can have all the right measures in place but still have an attack slip the net. In that case, alerts to catch these rare exceptions and stop them before your business unwittingly transfers any money to a Nigerian bank account. You can set up alerts to watch for events like:

• Unexpected change of bank details
• Urgent payment requests
• Unexpected payment requests from executives, especially if unusual
• Email addresses that look “odd”, such as small mismatches between a supplier and domain name

The Best Defence

Of all the things that can protect your business from a BEC attack, perhaps the best one is to shore up processes that involve money. Requests for funds transfer — whether it comes from the receptionist or the CEO — should follow the same stringent process, with checks to ensure the request is legitimate.

Naturally, stopping business email compromise before criminals ever get into your email (or spoof their way past your staff) is something most businesses want to do. And that’s where we come in. We help businesses fortify their systems, staff, and data, to keep everything as secure as possible.

If you’d like to know how to keep your business safe from business email compromise (as well as other attacks, like phishing), get in touch and let’s have a chat we are availablevia phone on 1300 778 078 or email [email protected]