Business Email Compromise

 Business Email Compromise (BEC) is the latest trend in cybersecurity that you should want nothing to do with. Attackers are flocking en mass and targeting the email systems of vulnerable companies as a means of taking control and leveraging the access for their own financial gain. We will explore the details of these attacks and what organizations should be doing to
mitigate the risk of falling victim.

What is Business Email Compromise?
Business Email Compromise (BEC) is the result of several malicious activities taken by cyber criminals with the goal of gaining access to a legitimate business email account.  Typically, a specific victim is targeted so that the attackers can leverage their email account to perform activities and gain access to systems that are typically associated with the victim’s job role. The attacker, armed with legitimate credentials, is now suited to masquerade as the owner of the account.

Why is BEC a common attack vector?
BEC is an easy attack to perform and delivers valuable results.  Despite how we typically think of cyber attacks, BEC is relatively lowtech.  It begins with the attacker using simple deception, also known as social engineering, to obtain the accounts legitimate credentials.  There are several ways attackers do this, including phishing emails, gaining physical access to facilities (to find that post-it note under your keyboard), or purchasing already-compromised credentials on the dark web and checking for instances of password reuse.  In many organizations, an employee’s email account is their master key; the tool with which all other access is gained. It would allow an attacker to authorize any activity typically authorized via email. A common way that BEC manifests is when the attacker takes over an account and creates or approves fake invoices in a way that mirrors the way the legitimate user would. Funds then are directed to the attackers’ accounts in what appears to be a routine transaction. Having this access would also allow an attacker to reset password access to any systems that authenticate with the email account, and gain access to sensitive information that can be sold on the dark web. Since BEC attacks usually target VIP employees, the attackers can be confident in what malicious activity they will be able to perform with a given compromised email account.

Who should care about BEC?
Leadership: Those in executive and VIP positions must understand their position as ideal targets of BEC attacks. They need to understand the signs of phishing attempts and the dangers of password reuse. They also need to be sure to drive a security-focused culture in the organization in order to help avoid compromise at lower levels. IT Administrators: Those in technology
leadership need to understand the solutions that can prevent and detect these attacks, and be sure to give those tools their due attention. A robust incident response plan should also be in place to react in the event that a compromised account is detected.  How can I protect my organization against BEC? Since attackers rely on their ability to deceive employees, the employees must be adequately educated on how they are being targeted. Security awareness training should be held to teach users about how they are being targeted, and what they should do to identify and report these attempted attacks. Special  training should be given to VIP users who are ideal targets for this type of attack. To supplement user education, multi-factor authentication (MFA) is a technical solution that drastically reduces the likelihood of a successful BEC attack. Typical MFA implementations requires a user to enter a temporary code along with their password before being able to access their email.
The code is delivered via a text message or dedicated MFA application on the users mobile device, and is only valid for a single logon attempt and for a short period of time. Having this solution in place exponentially increases the effort and coordination required from the attacker to successfully compromise the account.  Finally, it is important to understand what information has
already been compromised. A popular starting point for attackers is to purchase credentials on the dark web that have been
obtained through data breaches.  Untrained employees often register for third-party services with their work accounts, and the
simple mistake of password reuse will have the credentials stored with this site. Should the site be breached, the user’s legitimate credentials are now exposed, despite the organization not actually being the victim of the breach.  Monitoring the dark web for existing compromised credentials will allow employees to proactively change passwords, as well as serve as a proof-of-concept for the dangers of password reuse. 

The Security Advisory team at OCD Tech has a great deal of experience implementing the processes and technologies needed to hedge against BEC attacks, including security awareness training, MFA implementation, and dark web monitoring. Be sure to evaluate your current security posture as it relates to this attack today, and don’t hesitate to reach out for more information.