Business Email Compromise: How to Avoid Becoming a Victim

How likely are you to quickly respond to an email that appears to come directly from an executive-level individual at your organization, an email from a trusted third-party vendor, or an email that is flagged as high importance by a “business partner?”  Malicious actors are banking on immediate action being taken, whether it’s the source of the email (i.e. CEO of the company), the urgency described in the message, or both.  Emails impersonating legitimate individuals for nefarious purposes, also known as business email compromise (BEC), is a rapidly growing threat aimed at committing financial fraud through eliciting deceitful wire transfers.

What is BEC?

Malicious actors running BEC campaigns rely on deception techniques to masquerade as legitimate and trusted sources. Using research and social engineering tactics to portray executives, business partners, suppliers, or even legal authority figures, their goal is to induce illegitimate money transfers.  Those who fall victim to a BEC attack are deceived, thinking that they are simply doing what is asked of them by a reputable individual and performing an ordinary transaction, like wiring funds or completing a supply order, when in reality they are being duped by a fraudulent request.

BEC attacks generally work in two ways.  One, email accounts of targets are spoofed by cyber criminals to appear like they have originated from a different source.  For example, the message is designed to look like it is sent from [email protected], when the actual address is [email protected]  Another spoofing attempt is when email addresses are created with just a slight change so that they appear legitimate.  This could be something as simple as using an underscore __ instead of a hyphen — in the email address.  Without paying careful attention, the receiver has no reason to believe the email is fraudulent.

The second method is through compromised accounts.  This involves cyber criminals obtaining credentials to email accounts of individuals they want to pose as and distributing illegitimate messages.  Credentials can be gathered several ways, such as through database breaches, phishing scams, or brute force attacks.  In this case, the email account is legitimate, but the message is not.

Why You Should Be Concerned

BEC attacks “have seen an explosive 476% growth between Q4 2017 and Q4 2018.” 1 The likely cause behind this drastic increase is because they are low risk for cyber criminals and highly effective in achieving their purpose simply because of human nature.

Further, a BEC campaign uses simple technology, can be put into action rapidly, and carries the potential for a large payout.  If that’s not reason enough to be concerned, BEC attacks are also capable of circumventing traditional security practices like anti-virus scans or spam filters.

Obvious flags for email filters like grammatical errors or misspellings usually do not catch BEC attacks because these messages are targeted and constructed with thought.  A BEC attack also does not rely on malware to achieve its purpose, another reason why they are able to evade scans and filters.  Instead of an individual clicking on a malicious link or downloading an attachment containing malware, a successful BEC campaign only needs to deceive the target with a message that appears to be legitimate.

Extensive research is performed ahead of launching an attack in an effort to make the message as personalized as possible. Using a combination of publicly available information, like a bio on a company website, useful data from social media, and relevant material found on the dark web, emails can be written in a manner that appears legitimate and entices the recipient to take action.

The results of these attacks are significant and costly.  BEC attacks “yield an average of $132,000 per attack” and it is difficult to recoup the money after it has been transferred.  A public service announcement from July 2018 released by the FBI stated that victims of BEC attacks lost more than $12.5 billion from October 2013 to May 2018.

Losses suffered go beyond just monetary, including loss of operations and damaged reputation, which can end up being costlier than the transfer of funds itself.  A BEC attack has the ability to disrupt business continuity, demanding valuable resources be used to ensure operations are brought back up to speed, and whenever an organization is in the news for a cyber attack, they run the risk of losing customer faith.

Don’t Be a Victim: How to Protect Against BEC Attacks

There is no silver bullet that will prevent a BEC attack from being successful.  Instead, the best way to prevent BEC fraud is through security awareness training.  Creating a “culture of security” will help reduce the risk of a successful BEC attack.

Employees at every level of your organization should be trained how to recognize common deception tactics, like domain name spoofing (i.e. an email address that appears legitimate) and learn other best practices.

This includes not posting personal information, or anything that could be leveraged against you, on social media.  The less ammo that cyber criminals have to work with, the less likely their email will appear to be legitimate.  

People are often referred to as the “weakest link” in an organization’s security posture, but they can also be your biggest strength when it comes to mitigating risk, as long as they are properly prepared.

Beyond training, additional accounting controls should be implemented to help combat BEC attacks.  For example, requiring some sort of confirmation from the requesting party before authorizing payment should be standard protocol.  This could be as simple as calling the individual that the message is coming from to ensure that they were behind the request.  If it’s a legitimate request, it may add more time to the transfer process, but it’s better to be overly cautious and confirm the funds are going to the right place versus losing them for good to a malicious actor.

Regular assessments of networks and systems should already be included as part of your overall security strategy, but they can also be helpful in deterring BEC attacks.  Performing investigations can determine if email servers were compromised and that alterations were made allowing for nefarious emails to be sent using your network and appear as legitimate messages. Identifying this intrusion can potentially prevent large sums of money from falling into the wrong hands.

Another best practice to mitigate BEC threats is to implement multi-factor authentication on all email accounts at your organization.  This practice requires multiple steps to login after entering a password, such as receiving a unique code on a mobile device and then inputting the text.  Even if a cyber criminal has credentials to an email account, multi-factor authentication will help prevent them from being able to access it and send fraudulent transfer requests, since they likely won’t have the means to verify it’s the appropriate person logging in.

Lastly, perform due diligence on your vendors, suppliers, customers, or anyone involved with the potential transfer of funds. Determine which individuals specifically you will be interacting withand learn their processes and habits.  This will help trigger caution if their normal business practices suddenly differ, like an urgent request out of the blue, or an email from someone you’ve never worked with previously.

Steps to Take if an Attack is Successful

In the unfortunate event that a BEC attack is successful and funds are fraudulently transferred, all is not lost, but you must act quickly.  This involves contacting your financial institution immediately and requesting either a recall of the funds or asking them to not allow the transaction to go through.

Additionally, pending certain criteria, you can implement the Financial Fraud Kill Chain (FFKC) process that is offered through the FBI.  Its intention is to provide an additional outlet for recovering funds and should be used in conjunction with normal procedures at your financial institution.  Even if your circumstance does not qualify for the FFKC process, you should still contact your local FBI office to report the incident.  You’ll also want to file a complaint with the IC3, as they can assist both your financial institution and any involved law enforcement with their efforts to recover your funds.

Within your own network and systems, work to try and identify the malicious actor so that they can be contained and further damage can be prevented.  Also, be sure to involve all relevant parties within your organization, or partner with a company that can help provide support.  This includes forensic accounting, strategic communications, and litigation support.  A united front can help control the situation and ultimately recover from the fraudulent transfer.

Oldest Trick in the Book

While certain cyber attacks are becoming increasingly technical, the art of deception is a simple tactic that has been around for centuries.  Despite its simplistic nature, preventing a BEC attack cannot be achieved by installing software and rather requires a culture of awareness to be established.  With emails becoming increasingly personalized and targeted, it is more essential than ever to learn what to look for to avoid falling victim to this type of attack.  Cyber criminals are going to continue using attack methods that are low-effort, successful, and offer large payouts, which for now, is the case with BEC attacks.

The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates or its other professionals.

ANTHONY FERRANTE

Anthony J. Ferrante is a Senior Managing Director and the Global Head of Cybersecurity at FTI Consulting. Mr. Ferrante is an expert in cybersecurity resilience, prevention, response, remediation and recovery services.

Mr. Ferrante has more than 15 years of top‐level cybersecurity experience, providing incident response and preparedness planning to more than 1,000 private sector and government organizations, including more than 175 Fortune 500 companies and 70 Fortune 100 companies.

Mr. Ferrante maintains first‐hand operational knowledge of more than 60 criminal and nationalsecurity cyber threat sets, and extensive practical expertise researching, designing, developing and hacking complex technical applications and hardware systems.

Prior to joining FTI Consulting, Mr. Ferrante served as Director for Cyber Incident Response at the U.S.

National Security Council at the White House where he coordinated U.S. response to unfolding domestic and international cybersecurity crises and issues. Building on his extensive cybersecurity and incident response experience, he led the development and implementation of Presidential Policy Directive 41 – United States Cyber Incident Coordination, the federal government’s national policy guiding cyber incident response efforts.

Before joining the National Security Council, Mr. Ferrante was Chief of Staff of the FBI’s Cyber Division.

He joined the FBI as a special agent in 2005, assigned to the FBI’s New York Field Office. In 2006, Mr. Ferrante was selected as a member of the FBI’s Cyber Action Team, a fly-team of experts who deploy globally to respond to the most critical cyber incidents on behalf of the U.S. Government.

Mr. Ferrante previously served as an Adjunct Professor of Computer Science at Fordham University’s Graduate School of Arts and Sciences, where he served as the founder and co-director of the Master’s of Science in Cybersecurity program in the Graduate School of Arts and Sciences. During his time at Fordham University, he served as the co-director of the undergraduate and graduate cybersecurity research programs.

Paul Ferrillo

Paul Ferrillo is a Shareholder in Greenberg Traurig’s Cybersecurity and Privacy Group. He focuses his practice on cybersecurity corporate governance issues, complex securities and business litigation, and internal investigations. He assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them. Paul represents public companies and their directors and officers in shareholder class and derivative actions, as well as in internal investigations. In particular, he has coordinated numerous internal investigations on behalf of audit committees and special committees, and handled the defense of securities class actions alleging accounting irregularities and/or financial fraud. He is also the author of Navigating the Cybersecurity Storm: A Guide for Directors and Officers (Advisen 2015) and Co-Author of Take Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives (Advisen 2017).