With the recent WannaCry ransomware attack stealing global headlines, it may seem counter-intuitive to say so, but cyber security attacks are becoming smaller and more targeted. As we reported in our security trends to watch in 2017, Business Email Compromise (or BEC) was one of the most frightening of these attacks, and the numbers back that up. From October ‘13 to Dec ‘16, the cost to businesses and organizations of all sizes totaled $5.3 Billion or over $130,000 per incident.
The Basics of Business Email Compromise
Also known as Whaling, Spearing and CEO Fraud, the key characteristic of a Business Email Compromise is that it involves the impersonation of a business stakeholder to extract or extort funds from the victim who believes they are carrying out an often routine transaction. This might be to fill an order with a supplier, an executive looking for urgent funds, a highly classified data request (often resulting in extortion) or connecting with someone posing as a professional outsider, such as a lawyer or real estate agent.
A successful scam often requires the “perfect storm” to take advantage of the victim. According to the FBI, the attacks often start with a phishing scam (to make use of personal info such as travel plans, account info, names etc.) and even ransomware or scareware to prime and extort their victims. Sometimes the phishing attack itself is not even necessary.
Given how much information most individuals now share, scammers can generally find information like email addresses, job titles, and even travel plans through a quick LinkedIn search. These highly targeted attacks require research and preparation by the scammer – often including domain-spoofing an email address. Attacks are increasingly becoming a combination of layered strategies, all meant to take advantage of a user’s inattention.
Examples of Business Email Compromise
There’ve been some really astronomical numbers. Leoni, a German cablecar maker lost about $44 million (and 7% of its market value) in August 2016 via a spoofed email address. Or the $55 million lost by a Boeing supplier. Or the “measly” $5 million stolen from Ryanair to purchase some gas. Or the series of of scams by Evaldas Rimasauskas, who registered a company in Lithuania that had the same name as a company in Asia, and managed get US tech companies to wire over $100 million. These companies all learnt a hard lesson, but had sufficient assets (and likely insurance) to survive.
(Note: It’s important to note that this number doesn’t include the costs to organizations to rebuild IT infrastructure, backups and those electing not to pay a ransom. Then again, neither does the $5.3 Billion for BEC.)
BEC and Human Error
BEC Attacks are so hard to prevent because they always involve some form of human error. In the corporate world, safeguards are generally in place to address these errors, but a highly targeted and personalized attack can create significant lapses in judgement.
Take this example of CEO Fraud which involved a CEO requesting all W2 information from an employee – and in the process compromised the data of all Alpha Payroll clients. It was discovered when a client noticed a tax return filed under their social insurance number. It was too easy for the employee to blindly accept that what turned out to be spoofed domain in the email was real.
Or the director of accounting at Ameriforge who received a spoofed email from the his CEO, saying that he was in charge of a confidential file and that a lawyer would be contacting him shortly with details on a bank transfer. When a scammer posing as the lawyer called moments later, even 2 Factor Authentication would have been insufficient and the director was sufficiently convinced into sending the money across (more on multi-factor authentication later).
These are just a couple examples of simple human error, that can be made by any employee, in no part due to incompetence or neglect. In situations where even your best employees are vulnerable, it’s important to establish processes and fail-safes that disrupt the “auto-pilot” type behaviours that attackers want to take advantage of.
How to Stop a Business Email Compromise Scam
Stopping BEC scams always requires a business to start with employee security education and training, as user error is a requirement. While email security solutions will drastically reduce the likelihood of an attack, especially when it starts with a phishing email, having a properly trained group of users will greatly decrease the likelihood of any attack’s effectiveness – particularly among executives or staff who have authority to release funds or critical information.
Use A Reliable Email Security Solution
Using a leading email security solutions provider is fundamental to protecting against Business Email Compromise attacks, as it can allow you to flag certain keywords that they commonly use. A study by Proofpoint found that 30% of subject lines for these emails contained the word “Payment”, while 21% contained the word “Request” and another 21% contained the word “Urgent”. All this is consistent with attackers’ attempts to take advantage of your employees’ good intentions (see BEC infographic in this post).
Two factor authentication (2FA) should be a must for any release of sensitive data or wired funds. Even then, scammers are impersonating executive assistants or lawyers to call the CEO (or whomever) to confirm what was sent in a spoofed email. When it comes to significant transactions, or even as a matter of habit, build a multi-factor authentication (MFA) process to dramatically reduce the odds of being the victim of a scam, and certainly advance with caution any time money is involved.
Email Security Filters
Email Filters are a key to stopping BEC scams. New attempts often have a pattern where the email is from a local domain to a local domain, but with a non-local reply-to address. A good filter will spot these, particularly if it includes Domain-Based Message Authentication, Reporting & Conformance (DMARC) to prevent spoofed emails from reaching users. A great email filter will also include Advanced Threat Protection (ATP) that provides both signature-based detection (an important safeguard) while also catching irregular behavior and likely malicious emails.
Defend Your Domain Name Turf
Registering domain names that are similar to yours will also go a great deal further in protecting against the email spoofing practices that are at the heart of successful BEC attacks. Setting email filters to spot newly registered domains will also help protect against this practice – a targeted email spoofing attack will often register a spoofed variation of your domain right before sending a phishing email.
The Cost of a BEC vs an Email and Cyber Security Plan
The direct cost of a BEC might be $130,000 per incident, but that doesn’t include time spent on trying to recover funds, litigation, damage control, bad press, firing (as well as new hirings) and explaining to stakeholders how money was lost to both human error and a lack of defense against a common form of email scam. Comparatively, a well laid-out email and cyber security plan is a bargain. If you are a large company, you’ll make use of your IT Admins For a small to medium business an MSP or external consultant, with periodic employee training and awareness. That’s a rough scope. As an insurance policy, an email security investment should be a no-brainer.
To learn more about email security best practices and how to stop BEC, have a look at our modusCloud and modusGate secure email solutions which are designed to stop email scams – before they get to you.