Preventing Business Email Compromise (BEC)

Preventing Business Email Compromise (BEC)

Preventing Business Email Compromise is critical for organizations everywhere. Here’s a quick overview of this malicious email-based threat and how to stop it.

prevent Business Email Compromise at the office

Sometimes referred to as “whaling” since it specifically targets or impersonates an organization’s biggest fish, in a BEC campaign, the attacker sends an email to someone in the organization that has the ability to execute a financial transaction. Although sent by the attacker, the email looks like it’s from the CEO (or another empowered individual). It authorizes and requests an immediate financial transaction such as a vendor payment, direct deposit, or wire transfer. The payment, is, of course, directed to an account owned by the attacker.

Business Email Compromise – A 5 Billion Dollar Problem

The number of attacks and damages due to BEC have dramatically increased in recent years. The FBI, in a recently updated BEC Public Service Announcement, indicated that between January 2015 and December 2016, there was a 2,370% increase in identified BEC losses, totaling over $5 billion worldwide.

The following few examples demonstrate the dangers:

  • Evaldas Rimasauskas, who according to theguardian, registered a company in Lithuania that had the same name as a company in Asia, and managed to get US tech companies to transfer over $100 million
  • Leoni AG, Europe’s biggest manufacturer of wires and electrical cables lost $44 million dollars (and 7% of its market value) in August 2016 via a BEC scam.
  • As reported by Reuters, Aerospace parts manufacturer FACC experienced a $42 million dollar loss due to a fraudulent BEC payment.
  • Budget airline Ryanair lost $5 million dollars via a fraudulent electronic transfer.

These statistics are alarming. With BEC attacks being reported in all fifty states and 131 countries, companies worldwide need to work diligently to prevent business email compromise. To put this in perspective, consider that according to CNBC, the globally notorious WannaCry ransomware attack only put around $50,000 into the attacker’s pockets. That’s a mere fraction compared to the billions lost by organizations failing to prevent BEC.

Malware in Business Email Compromise

Although the late-stage emails used in BEC may not contain malware, malicious code is often used as part of an overall BEC scheme.

To deceive recipients into acting on a fraudulent email, cybercriminals frequently use malware to obtain the CEO’s account credentials. Once compromised, the CEO’s account is used to send the emails requesting the fraudulent payments.

A case in point: In a recent BEC campaign, attackers sent emails urging and deceiving victims into installing Olympic Vision malware. The malware allowed cybercriminals to steal logon credentials and to capture keystrokes, images, screenshots, and other sensitive data. The stolen data was then used to impersonate the CEO or other high-ranking individuals via email. Because hackers can acquire the widely available Olympic Vision toolkit for only $25 dollars, it’s quite easy for cybercrooks, even beginners, to hijack email accounts and impersonate their victims.

Credential Theft

Here are some of the more common types of malware specifically designed to steal or compromise a victim’s logon credentials.

  • Keyloggers – captures IDs, passwords, and other sensitive data typed by the user
  • Network sniffers – records and transmits sensitive data pulled from the victim’s network
  • Man in the middle attacks – malware designed to sit between the victim and their target website or application, capturing and potentially modifying the data. Varieties include
    • Man-in-the-Browser
    • Man-in-the-Email
    • Man-in-the-Cloud
    • Man-in-the-IoT

For more information about password stealing malware, see Password-Stealing Malware Remains Key Tool for Cybercriminals

Business Email Compromise and Domain Spoofing

Although not as effective as when the attacker uses the victim’s actual account to send the fraudulent email, BEC attacks also use domain spoofing to mislead email recipients into thinking the email is really from the CEO or other authority figures.

Domain spoofing uses slight variations in legitimate email addresses to deceive BEC victims. For example, it’s easy to miss the subtle spelling changes in:

john.kelly@123abccompany.com vs. john.kelley@123abccompany.com.

or, in:

john.kelly@123abccompany.com vs john.kelly@123abcompany.com.

Note that the top example modifies the individual mail box, whereas the bottom example alters the domain.name (organization).  Victims can easily fall for either approach.

Techniques to Prevent Business Email Compromise

Unless properly equipped, businesses will have a hard time preventing Business Email Compromise. Emails, at least the later stage emails of a BEC attack, don’t typically include links or have attachments. Traditional secure email gateway systems only evaluate attachments and links. They are ineffective at preventing BEC.

The following guidelines will help organizations guard against BEC attacks:

  1. Implement a solution that excels in detecting advanced and evasive keylogging and other malware used by BEC. In addition to email, use it to evaluate threats on all hosts, and in your network traffic.
  2. Use a reliable email security solution that can flag certain keywords that are commonly used in BEC attacks (e.g. “payment”, “urgent”, “request”). It should also detect patterns such as an email from a local domain to a local domain but with a non-local reply.
  3. Register all company domains that are slightly different from the actual company domain.
  4. Flag emails with extensions that are similar to company email. For example, “123abccompany.com” would flag emails using “123abc-company.com”.
  5. Educate your users about BEC attacks, particularly executives or staff who have authority to release funds or critical information.
  6. Use multifactor authentication for any release of sensitive data or wired funds. Verify changes in vendor payment location by adding two-factor authentication such as a secondary sign-off by company personnel or using previously known phone numbers. Do not use the numbers or contact information provided in the email request.
  7. Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary. Know the habits of your customers, including the details of, reasons behind and amount of payments.

Key Takeaway – BEC Doesn’t Get Much Attention, But it Should

Although BEC doesn’t get as much mindshare as ransomware or other forms of cybercrime, it is nonetheless a very significant threat to organizations of all sizes worldwide. The statistics show that it is growing rapidly and that it is more damaging than many other threats.

Although conventional email security gateways will not effectively prevent Business Email Compromise, there are products that will. When these modern solutions are coupled with appropriate education and best practices, organizations need not fear this rising threat.

Bert Rankin

Bert Rankin

Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University.
Bert Rankin