Since life in the shadow of the Covid-19 pandemic became “new normal”, we at OP Innovate have seen an excess of business email compromises (BEC) incidents.
As the pandemic played out across the globe, workers got vaxxed and IT departments got used to this “new normal”, we genuinely hoped we’d see a drop in this kind of attack. The human factor remains the weakest link in the chain and the many organizations that softened their IT and security policies to enable employees to work remotely, inadvertently also welcomed the cyber criminals to compromise their assets.
So what is a Business Email Compromise (BEC)?
As its name suggests, a BEC attack targets corporate email accounts. At an early stage, the attacker designs an attractive “call to action” to fool users into giving over some personal details. The attacker often couples the call to action with a sense of urgency. Attackers usually load their emails with eye-catching subject lines that include terms such as “invoice attached” or “verification required”. One common example takes the form of a fake ‘password expiry’ notification but the results are the same – compromised credentials.
Once the attacker acquires the credentials, they will use them to log into the victim user’s account, learn their finance protocols and ultimately perpetrate a fraudulent wire transfer that will closely resemble a legit wire transfer request.
As incident responders (Blue team), OP Innovate’s team has been in the thick of things handling multiple attacks. Some carried the fingerprints of the “Florentine Banker” attack group and included lookalike domains and well choreographed man-in-the-middle techniques.
The flow diagram below shows how a typical BEC attack evolves into a fraudulent wire transfer.
Here are some stats from our Covid era engagements so far:
Top 10 Recommended Steps to Hardening your Business Email & Wire Transfer Processes
If you don’t want to become a BEC victim, here are a number of recommendations on how to protect yourself and your organization in the face of email-based attack:
- Multi factor authentication – simple, yet organizations skip it. As of 30th Aug 2021, Single-factor authentication (SFA) is on the US Cybersecurity and Infrastructure Security Agency (CISA) short list of cybersecurity bad practices it advises against.
- Simply enabling MFA on Office 365 is not enough. It should be enforced for all users.
- As MFA becomes more ubiquitous, attackers are finding ways to bypass it. At the end of the day, a user could still be fooled into handing over the one-time code in response to a spear phishing campaign.
- Combine MFA’s deployment with an awareness campaign that empowers your employees and explains their role in helping to protect your company’s assets.
- Change the money wiring flow so it includes a human decision-maker in the process from all parties to approve the wiring. Automation is not always the best answer.
- Pay attention to wire transfer requests. If you regularly pay a partner or vendor, set a password with them. This way, if they suddenly “change” their bank account, you can contact them BY PHONE, exchange passwords and ask for clarification. This beats replying to the suspicious email which may simply elicit a response from the well positioned attacker, rather than the intended legitimate wire recipient.
- In preparation for the inevitable attack, raise your email system’s log level to provide the maximal information during the incident response process.
- Track down events related to the creation of new O365 rules. Attackers will try to cover their tracks.
- If you do get hit, resetting user passwords and then deploying MFA is not enough. Be sure to terminate all active sessions to kick the attacker out before they can cause more damage.
- Rarely do users confess or have awareness of the fact they fell for a phishing scam. If you suspect a user of being compromised, check their web browsing history / cache for visits to suspicious websites around the time of the phishing email’s arrival.
- If a user got a dedicated phishing email (spear-phishing) that contains organization data (names of employees, names of systems, etc) – be aware that there may be an entity or a group specifically targeting your organization, and investing hours and effort to gather intelligence to enable them to fly under the radar.
- Build an incident response plan and a partnership with an IR company that can get to know your organization and is ready to handle any incident that hits when it hits.
Contact OP Innovate to work with your organization’s teams and technologies to Identify your weaknesses and vulnerabilities. We can keep you aware of the threats out there and step up as your cybersecurity IR team, by your side, whenever required.
Written by Omer Pinsker, the founder & CEO of OP Innovate, Certified Incident Handler (GCIH).