What is the full form of BEC

Tips to Avoid BEC Attacks

Business E-Mail Compromise (BEC) scams are technically simple attacks that exploit the weaknesses of human nature by means of social engineering (i.e. the manipulation of users).

While the subject has not received as much media attention as spectacular ransomware attacks, BEC fraud is considered one of the biggest threats facing businesses today. According to FBI figures, there were 32,367 BEC fraud cases in the United States alone between June 2016 and July 2019, costing companies over $ 3.5 billion.

Fortunately, there are some simple but powerful strategies you can use to ward off BEC attacks. In this article, we'll show you how you can use a combination of employee training, process implementation, and authentication technologies to protect your business.

What is Business Email Compromise?

BEC attacks are sophisticated scams that target companies and people who make money transfers.

Sequence of a BEC attack (courtesy of the FBI)

Unlike traditional email scams that are sent to thousands or millions of users, these attacks are extremely thorough and targeted.

In a typical BEC fraud, an attacker uses phishing, malware infection, stolen passwords or a brute force attack to gain access to an executive's email account. The attacker then observes the victim's communication habits in order to gain a thorough overview of the company's routines, procedures and processes.

Once the observations are complete, an urgent-sounding email will be sent to the destination asking the recipient to carry out a major concern.

The persuasive thing about the scam is that the email comes in through a legitimate communication channel and appears to come from a known and trusted contact. The target person often feels compelled to respond to the request as quickly as possible without asking, because it is apparently coming directly from the boss or his superior.

The motive is of course primarily money. The victims believe they are making a regular transfer, but instead transfer the large amount of money straight to the scammers' account.

In other cases, the attackers use these BEC scams to steal personal data that they then use for later attacks or sell on the black market.

Business email compromise versus spear phishing and whaling

There are some similarities between BEC scams, spear phishing, and whaling. All three are email fraud attempts that use social engineering to steal money and confidential information from a specific destination.

However, the procedures differ slightly. While spear phishing and whaling attack the victim directly via phishing emails, BEC fraud is based on gaining access to the target's email account and then impersonating a known business contact and trusting them win.

The worst BEC cases in 2019

1. Tecnimont SpA

Tecnimont SpA, an international industrial group headquartered in Milan, announced in January that it had fallen victim to one of the biggest BEC deceptions in history. The attackers pretended to be CEO Pierroberto Folgiero and sent a series of emails to the managing director of the Indian subsidiary Tecnimont Pvt Ltd to organize conference calls for a secret business venture in China.

During the bogus calls, the fraudsters introduced themselves as various stakeholders, including Folgiero, a lawyer from Switzerland and other executives. The criminals were ultimately able to convince the managing director of Tecnimont Pvt Ltd to transfer USD 18.6 million from India to banks in Hong Kong. The money was withdrawn almost immediately.

2. Cabarrus County

In July, Cabarrus County, North Carolina, admitted it had been defrauded of more than $ 2.5 million.

In November 2018, the county's finance department received emails appearing to be from Branch and Associates, a company tasked with building the new West Cabarrus High School.

The emails asked, among other things, to update Branch and Associates account information. When the employees were given all the apparently valid documents and permits required to do so, they complied with the request. The following payments from the school to the company ended up on the account of the fraudsters, from where they were quickly withdrawn via other accounts.

The bank was able to freeze and retrieve $ 776,518 of the $ 2,504,601 it had paid, leaving the county to pay the real Branch and Associates $ 1.7 million.

3. Toyota Boshoku Corporation

In August, the European subsidiary of Toyota Boshoku Corporation, a major supplier to Japanese vehicle manufacturer Toyota, fell victim to a costly BEC fraud.

Attackers had persuaded an employee with financial decision-making power to change the account details in a transfer. As a result, the company sent more than $ 37 million directly to the criminals.

After Toyota Boshoku learned it had been the victim of a fraud, the company quickly assembled a team to get the money back. It also announced that it may have to adjust its earnings forecast for March 2020 should it fail to raise the funds.

How to avoid BEC attacks

The best strategy to avoid BEC fraud is to take a layered approach with various controls and cross-checks. Three key points come into play here: employee training, company policy and email authentication.

training

A company's employees are the first and foremost line of defense against BEC attacks. By teaching staff what signs there are of fraud, the risk of exposure to fraud can be significantly reduced.

BEC attacks, while often targeting executives and executives with financial authority, can target any business level in a company. It is therefore imperative that all employees receive regular training on how to identify and respond to BEC attacks.

Prevent attackers from accessing corporate email accounts

For a BEC fraud, the attackers first have to gain access to a company's email account. In order to prevent such attacks, it is therefore important to eliminate this first starting point.

Here are some commonly used methods that attackers can use to gain access to work email accounts:

Domain spoofing

One method used for BEC attacks and other phishing scams is what is known as domain spoofing (manipulation of the domain name). This falsifies the sender address so that it looks like the email came from someone else. It's surprisingly easy to do. All you need is an SMTP server and certain email software. Using domain spoofing, attackers try, for example, to coax employees into logging in to their email accounts so that they can access them themselves.

To identify domain spoofing, view the source code of the email and look for a "reply-to" entry. If the email address is different from that of the sender, it could be a phishing or BEC attempt.

Display name spoofing

Attackers also often use display name spoofing to impersonate someone else within the targeted company. All they have to do is create a free e-mail account and then change the name displayed to that of the familiar business contact (such as a high-ranking manager). Here the attackers hope that the recipient will only look at the displayed name and not check the email address behind it. Trusting this display name, the victim finally complies with the request, becomes involved in a conversation or opens a malicious attachment.

Unfortunately, verification technologies such as DMARC, DKIM or SPF do not help against the spoofing of the display name (more on this later). The simplest solution here is to teach staff not to rely on display names alone, but to verify the sender's email address.

Phishing attacks

Traditional phishing methods are also widely used to gain access to an email account. Employees should therefore be particularly careful with e-mails that are worded very urgently. Phishing emails are often written to provide certain psychological incentives to get the recipient to act immediately. According to KnowBe4, a security awareness training company, the following subject lines were most clicked on in phishing emails in the second quarter of 2019:

  • Immediate verification of password required
  • [[E-Mail]] will be disabled
  • Urgent communication to all employees
  • You have a new voice message
  • Back up your emails

How to recognize when an attacker has gained access to a work email account:

While the above steps can minimize the risk of an account being compromised, no preventive system is truly 100 [nbps] percent secure. Employees should therefore always be careful and watch out for evidence of attempted fraud.

Here are some of the most common signs of a BEC attack:

Unusual emails from executives

Fraudsters often pretend to be in a higher position in order to put psychological pressure on the victim. Encourage your workforce to pay close attention to who they are receiving emails from and whether they are unusual.

For example, workers should become suspicious if the finance manager asks access to a restricted portion of the network or the manager requests an urgent referral that ignores traditional practices.

Spelling and grammatical errors

Alarm bells should also go off for emails with spelling and grammar errors. Although attackers spend a lot of time researching their victims' communication habits, they are prone to make mistakes. Of course, a misspelling is not necessarily evidence of a BEC scam, but it should at least arouse suspicion, especially in news about an important matter.

Requests to circumvent certain regulations

Most companies have strict regulations when it comes to making payments or disclosing confidential information. Employees should therefore be careful with emails that ask to circumvent these guidelines - regardless of what role the sender has in the company.

Control processes

BEC fraud exploits weaknesses in human nature. By establishing a solid communication policy with multiple controls and reviews, you can compensate for these weaknesses and ensure better protection for the company.

Employees at all levels of the company - especially managers and employees in the HR or finance department - must know and comply with clear regulations regarding financial transactions and important e-mail inquiries.

Here are some good security practices:

Activate 2FA for all email accounts

For two-factor authentication (2FA for short), users have to enter additional information for confirmation in addition to the conventional login data, for example a dynamic confirmation code. By protecting business emails with 2FA, attackers have a much harder time gaining unauthorized access to employee email accounts, and consequently cannot carry out their BEC scams.

Unfortunately, 2FA is not a perfect solution, as in some cases attackers have been able to intercept the verification codes via fake phone numbers, malware or social engineering. Still, it's very useful for throwing off at least weaker BEC scams.

Minimal financial authorizations

The more employees in a company are authorized to make transfers, the greater the attack surface for the fraudsters and the greater the risk that at some point funds will inadvertently be paid out to the wrong people.

Therefore, companies should keep the number of employees authorized to make transfers as low as possible. In addition, the authorized persons must know and comply with the company processes and be able to recognize signs of BEC fraud.

Cross-check payment requests

Companies should set up a two-step verification process for all referral requests. For the payment of large sums that exceed a certain value, additional confirmation controls (e.g. by having a second person approve the transfer) could be required.

Since email accounts were mostly hacked for BEC attacks, control should take place via another communication channel, for example by telephone.

Ideally, these communication channels are brought into play early in the business relationship and arranged outside of email communication to avoid being compromised or intercepted.

Confirm request for different payment methods

In many BEC attacks, the victim is persuaded to update the account details of the existing business contact with those of the attacker. Businesses should therefore call for confirmation of all requests to change their payment information. The best way to do this is to use a phone number that has already been confirmed and provided at an earlier point in the business relationship. The telephone numbers given in the request could be falsified and are therefore not suitable for such a cross-check.

technology

There are a number of authentication mechanisms for verifying the authenticity of an email. A combination of these mechanisms provides the best protection against BEC fraud.

Sender Policy Framework

Sender Policy Framework (SPF) is an e-mail authentication standard that can be used to detect forged sender addresses during e-mail delivery. SPF was designed to complement SMTP (a communication protocol for sending e-mails) and is an important layer of protection in preventing BEC and phishing attacks.

With SPF, a domain owner can specify which servers are allowed to send e-mails on their behalf. This enables the receiving e-mail server to check upon delivery whether the incoming e-mail comes from a domain that has been approved by the domain owner. If the e-mail comes from a server that is not authorized, the receiving server categorizes the message as fraud and can prevent delivery.

It should be noted here, however, that there are some significant limitations with SPF, which means that it does not provide complete protection against BEC fraud. That's because of how SPF verifies the sender.

There are two From addresses in the email code:

  1. Envelope-From (Envelope Sender): This is the email address from which the email was sent and to which error messages will be sent.
  2. Header-From: This is the email address used by the email client to fill in the “From” field (which may also be called the “From” field in your email program).

SPF is primarily designed to protect the envelope sender. As a result, the From address in the header cannot be checked. However, this is the address that is typically spoofed for BEC attacks because it is the most obvious to the email recipient.

For more information on SPF, see this Wikipedia article.

DomainKeys Identified Mail

DomainKeys Identified Mail (DKIM) is another form of email authentication. Similar to SPF, DKIM gives the email recipient the opportunity to check whether an email has been approved and sent by the domain owner. With DKIM, a digital signature is attached to the outgoing e-mails.

The recipient's system can then verify that an email has a valid DKIM signature that identifies the email as most likely legitimate. If there is no valid DKIM signature, the email could be a forgery.

In contrast to SPF, DKIM signatures do not check the so-called envelope of the e-mail (and thus also not the envelope sender). So it cannot protect against attacks with incorrect address data. Instead, it checks the From address in the header, which, as already mentioned, is often used for BEC and phishing scams.

Domain-based Message Authentication Reporting and Conformance

Domain-based Message Authentication Reporting and Conformance (DMARC) is one of the most effective methods in the fight against BEC and phishing attacks.

The email security protocol is built on top of SPF and DKIM. It allows the domain owner to specify which authentication method (SPF, DKIM or both) should be used when sending emails via this domain. Domain owners can also specify what should happen to an e-mail if the authentication fails (e.g. reject the e-mail or move it to quarantine). DMARC can also be used to generate summaries and forensics reports that are useful for monitoring email traffic and identifying potential security risks.

Despite the advantages of DMARC, only a minority of companies have used it so far. According to figures from the email security and analysis company 250ok, only 2 in 10 companies (20.3 [nbps] percent) used DMARC in 2019.

Conclusion

BEC attacks are one of the biggest cybersecurity risks businesses face today. Since they can be carried out even with minimal technical means, a forward-looking security strategy is more important for protection than the use of state-of-the-art technologies. Train your employees to be vigilant, put in place rules and processes for transfers, and use email authentication methods. In this way, regardless of the size of your business, you can minimize the risk of falling victim to BEC fraud.

 

Translation: Doreen Schäfer