JRB - Fotolia
The July edition of Beazley Breach Insights found that business email compromise has been rising steadily. What is behind this trend? Is business email compromise more of a social engineering problem or a technical problem?
Business email compromise (BEC) is a scam that relies heavily on social engineering techniques to trick its victims into transferring money or goods to accounts owned by those behind the scam. The Beazley Breach Insights report is not the only report that reveals how prevalent this type of attack is becoming. Research conducted by Agari Data Inc. estimated that 96% of organizations were targeted by BEC attacks in the second half of 2017.
A BEC attack is preceded by detailed research by the perpetrators into their intended victims. Details such as the names and titles of company officers, work schedules and the organizational structure, as well as details of products or services are collected from the company's website, internet searches and social media sites. This information is then used to craft very realistic email messages that appear to originate from a senior executive or legitimate partner requesting the recipient to make a payment or ship goods. The email may also be followed up with a phone call.
According to the FBI's 2017 Internet Crime Report, there are five types of BEC: bogus invoice scheme, CEO fraud or whaling, account compromise, attorney impersonation and data theft. The report said that BEC and email account compromise cost more than $676 million in 2017. There were 15,690 victims ranging from small businesses to large corporations, with no one sector appearing to be a favored target.
One reason BEC has become so popular among cybercriminals is that, unlike phishing attacks in the past, it's a simple attack that doesn't require the use of a malicious payload or URL. Most employees have learned not to click on suspicious links, but BEC attacks rely instead on socially engineering the recipient into performing a task that will profit the attacker in some way: a money transfer, sharing sensitive information or a credential reset, for example. If the latter allows the attacker to compromise an internal account, they can use it to spear phish others within the organization or third parties. The internal email account makes their fraudulent email messages appear even more legitimate.
To combat BEC attacks, organizations need to step up their security awareness training to ensure employees know that they are potential targets and how to recognize a possible BEC attack. Posting detailed personal information on social media sites plays into the hands of those looking to personalize their social engineering scams so employees should be warned of the dangers. Job descriptions, organizational charts and other details that could be used to facilitate targeted phishing scams should be removed from company websites as well.
Policy should state that the sender's email address be cross-referenced whenever an email contains a sensitive request, while email gateways should be configured to flag keywords that are common in fraudulent email like "payment," "urgent," "sensitive" and "secret." The Beazley report found that organizations using Office 365 were most susceptible to BEC attacks, which may be down to attackers exploiting PowerShell to log into Office 365 accounts. Disabling unnecessary third-party applications from accessing Office 365 along with two-factor authentication can help reduce this particular risk.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)