Business Email Compromise (BEC) attacks
As reported by Singapore Computer Emergency Response Team (SingCERT), the trend of Business Email Compromise (BEC) attacks has been increasing over the years and there’s a need for enterprises to protect themselves from these attacks by promoting the adoption of good cyber hygiene practices and raising cybersecurity awareness among their employees.
What is BEC?
A Business Email Compromise is an email-based fraud technique utilized by cyber criminals to gain access to confidential business information of an enterprise or extract money by impersonating as a CEO of a company, a business partner, or a known contact of the victim, and fraudulently requests for payment or a wire transfer.
Through phishing attacks, data from past breaches, and data harvesting from the employee’s social media accounts, the employees’ enterprise email accounts can be compromised. As BEC is executed using a spoofed email account to send such a request, the employee’s emails can be used for such a scam.
More commonly, the unsuspecting victims would believe that the email they received was a genuine one and proceeds to the transfer request. However, upon finding out that the legitimate receiving end did not receive any payment intended for them, that’s the only time that they find out that they have become a victim of BEC.
As businesses massively adapt to the digital age brought by the COVID-19 pandemic, cybercriminals have a growing opportunity to launch attacks and scam more enterprises. With this, there’s a need for these enterprises to be vigilant and take precautionary measures to avoid becoming an unsuspecting victim.
A new variant of Business Email Compromise
In 2020, the Singapore Police Force (SPF) had alerted the general public of a new variant of BEC. According to them, since January 2019, at least 90 reports of this variant had resurfaced, incurring a loss of at least S$987,000.
In this new variant, the unsuspecting victims are instructed to purchase iTunes or Google Play gift cards for various work-related reasons and then are asked to send over the redemption codes.
How can businesses protect their enterprise from Business Email Compromise (BEC) attacks?
SingCERT has laid down the following recommendations that enterprises should adopt to protect themselves from BEC:
For Enterprise Owners
As Business Email Compromise attacks rely heavily on social engineering tactics, enterprise owners are advised to do the following:
Promote a Culture of (Cyber) Vigilance Among Employees
- Regularly share cyber hygiene tips and news on current scam/phishing cases
- Conduct regular phishing drills and remind employees to verify the authenticity of emails, especially those that are suspicious or unsolicited
Implement Additional Verification Process for Finance-related Requests
Implement a secondary confirmation* process to verify the authenticity of finance-related requests, including funds transfer, change of supplier or vendor bank account, and invoice payment.
*This secondary confirmation should be via a different medium (i.e. phone call or text message) to prevent direct communications with the criminal, in the event the email account has been compromised.
For Enterprise IT Teams
Enterprises can strengthen their IT infrastructure posture to prevent spoofed emails from reaching their employees by implementing the following:
Block Malicious or Spoofed Emails
If your enterprise is using Microsoft 365, you can:
1. Enable anti-spoofing protection, anti-phishing policies and email authentication.
3. Enable the “Report Message” function and encourage employees to report any possible phishing email for investigation.
If your enterprise is not using Microsoft 365,
1. Implement filters at the email gateway to filter out emails with known malware spamming indicators and block suspicious IP addresses at the firewall.
2. Use free email authentication tools such as Domain-based Message Authentication, Reporting and Conformance (DMARC) which can help detect spoofed emails.
Implement Strong Password Policies
- Enforce regular password changes, and require the use of strong passwords
· Enable multi-factor authentication (MFA) where possible for enhanced security, especially for employees with the authority to authorise payment.
Maintain System Hygiene
- Ensure that automatic updates are enabled for the antivirus software, and perform a full scan of the machine(s) in your network regularly.
- Conduct regular audits on user passwords against common password lists by using available resources and tools online.
- Verify and remove any unauthorised/suspicious/dormant user accounts in the system as these could be leveraged to gain access into the system.
- Check for and remove any suspicious email forwarding rules.
- Monitor the authentication logs and investigate multiple unsuccessful login attempts.
Employees play a key role in thwarting Business Email Compromise attempts.
Inspect suspicious / urgent emails closely
· Typically, phishing campaigns’ emails will sound urgent and list dire consequences if the recipient does not act promptly. Business Email Compromise-type emails may also ask the recipient to change the designated account for receiving wire payments.
· Seek confirmation using a different medium (i.e. phone call or text message) before proceeding with an important instruction that was sent via the email. Report any suspicious phishing email to your administrator and do not click on any links or open any attachments from the email.
Furthermore, the Singapore Police Force also provided the following preventive measures advisory that enterprises should adopt:
a. Be mindful of any new or sudden changes in payment instructions and bank accounts. Always verify these instructions by calling the e-mail sender. Previously known phone numbers should be used instead of the numbers provided in the fraudulent email.
b. Educate your employees on this scam, especially those that are responsible for making fund transfers for purposes such as making purchases or managing HR payroll.
c. Prevent your email account from being hacked by using strong passwords, changing them regularly, and enabling Two-Factor Authentication (2FA) where possible. Consider installing free email authentication tools such as Domain-based Message Authentication, Reporting and Conformance, DMARC (dmarc.globalcyberalliance.org), which can help detect fraudulent emails.
d. Install anti-virus, anti-spyware/malware, and firewall on your computer, and keep them updated. You may consider installing free Domain Name System (DNS) protection services such as Quad9 (quad9.net) to protect against such attacks. Lastly, update your Operating System (OS) when new patches are made available.