As an experienced IT professional you are able to instantly spot phishing emails. But, sometimes a message appears in which everything just seems right: the names, contents, and the sender’s writing style. That is characteristic of Business Email Compromise (BEC). In this blog we will take a look at how that works, and how to keep these kinds of attacks out!
Spear-phishing
When phishing, criminals are using a scattergun approach. They will always hit something, although it may not always yield much. For Business Email Compromise (BEC), this is different. For weeks on end, a company is observed. Not just the website is dug into, but social media and the chamber of commerce as well. Which people are in high positions? And who works in finance? What do they post on Facebook, Twitter and LinkedIn? What’s their writing style like? How are the company’s email addresses formatted? With which other companies is business done?
Based on all of this research, the criminals single out a single employee. That’s their victim. This victim will subsequently receive an email that will not turn out to be totally fine.
Gift cards
Often it’s aimed at someone with a lower position in the organization. An intern at HR, for example. When someone like that receives an email or a message from the CEO him or herself, they won’t question it very quickly. Especially not if the impatience can be felt through the screen. Something has to be handled, right now! The adrenaline starts pumping, and judgement disappears accordingly.
A real-life example: multiple Dutch companies have lost considerable amounts of money on gift cards for the Apple store or Nintendo in the past few months. It happens as follows: an employee receives an email from the CEO. The CEO tells says that he wants to reward a team as part of a campaign. The employee needs to purchase the gift cards immediately, and send him the codes by text or email.
What the employee does not realize in this hurry, is the wrong sender’s email address. For example, blokkker.nl. Almost no one notices the three k’s instead of two in practice.
Just moments later, the criminal has acquired the codes. Gift cards can be redeemed anonymously, and in no time that has been done. The company has lost a couple thousands.
19 million euros
These kinds of actions are probably the efforts of young cybercriminals. But there are also cases in which experienced scammers take home much larger amounts. In the case of Pathé for example: the Dutch branch received an email that appeared to come from the headquarters in France. There was an upcoming merger which was being prepared in all secrecy. That’s why money had to be transferred out of the Netherlands.
Multiple emails and transfers followed. At the end of the story, Pathé had lost no less than 19 million euros!
Mature organizations, with experts in the fields of psychology, hacking and finance are behind such cases. They are the adversaries you need to keep out as someone responsible for IT.
Three kinds
Business Email Compromise comes in three different forms. The first is CEO fraud, such as in the case of the gift cards. Someone in a higher position within the company orders a payment, or requests quick access to sensitive information.
The second form is the ‘fake invoice scam’. An invoice appears to be sent by a known vendor. But, what receiver does not notice, is that the bank account number is different.
The last and most dangerous form is that in which an employee’s account is hacked. The criminals will check to see there are any invoices ready to be sent. They will then send these themselves, after editing the bank account number. Or, they explain that the IBAN has just been changed in the accompanying email.
Sometimes they will look even further after a hack, in search of information with which they can commit the perfect fraud: then everything checks out, even the sender’s address. Or any information they could monetize later on.
Unreliable
All of this trouble is caused by the same thing: email is unreliable. It originates from a time in which networks were only used by respectable nerds. Nobody thought of security measures.
Ever since, multiple attempts have been made to still build in security, but that has never really succeeded. As a result we are flooded with spam and phishing emails on a daily basis – sometimes even supposedly sent by you yourself.
Tips
What can you do to ensure that Business Email Compromise won’t hit your company? Below, we will provide nine tips. Some with regard to technology, but working safely is still mostly a matter of procedures.
1. Spelling check
Computers are much better at detecting deviations in the spelling of addresses than humans are. Microsoft 365 can often warn people when domain names are incorrect.
2. DMARC
This is a validation system which checks whether an email was actually sent by the sender it claims.
3. Combat spoofing
Usually criminals make use of domain names that are very similar to yours. So, register such names yourself. In this way you will also prevent other types of cybercrime.
4. Safe alternatives
There are mailing systems which are inherently safe. They make use of portals through which receivers can collect encrypted messages with a password.
5. Training
Every employee that makes use of email needs to be trained in recognizing phishing and BEC. And, needs to know what to do when something strange comes in. Such as calling the ‘sender’ to check if everything is right. That too, is a matter of training! Not just once, but frequently and with a certain regularity. Not just to keep everyone’s skills sharp, but also because criminals are constantly coming up with new tricks.
6. Four eyes
BEC has less chance of succeeding if there are two people checking an invoice. One for registering, and one for transferring. In the financial sector this is commonplace.
7. Limited rights and permissions
Create clear rules on who can do what. E.g. gift cards can only be purchased by the head of HR. Banking software usually enables limiting rights per employee.
8. Reliable numbers
Enter all vendors’ bank account numbers in the directory. Only those numbers can be used to transfer money, not the numbers on received invoices.
9. Security protocol
Every BEC attacks is an attempt to bypass the procedures. Thus, there needs to be a system for deviating situations! Such as an internal hotline or contact point. With people who are not afraid to ask questions and dig deep.
As phishing attacks are becoming more and more advanced, it is increasingly important to prepare people. By doing so, a lot of harm can be prevented.