BEC is still a $1.8 BILLION Problem

Written By: Triden Group’s Sr. Security Principal

There has been no shortage of cybercriminal activity throughout 2020 and 2021. With groundbreaking attacks targeted at supply-chain vendor software SolarWinds Orion or zero-day vulnerabilities leading to critical exploitation chains in Microsoft Exchange Server, security has never been a bigger business issue. While the impact of these compromises has yet to be determined, other more familiar threats have been expanding in reach and sophistication. According to the 2020 Internet Crime Report published by the FBI, an estimated $4.2 billion dollars in losses related to internet crime was reported. This was up $700 million dollars from 2019. A total of 791,790 complaints were filed with 231,342 related to phishing. COVID-19 played a role in expanding the potential attack surface with over 28,500 cybercrime complaints specifically related to the pandemic.

It is worth noting that business e-mail compromise and e-mail account compromise accounted for more than 40% of the total financial loss and the IC3 received 19,369 Business Email Compromise (BEC) / Email Account Compromise (EAC) complaints with adjusted losses of over $1.8 billion. This does not include the total losses from other social engineering-related techniques or losses from technical malware or ransomware attacks. With losses this substantial in one category understanding and implementing policy and procedures to avoiding these attacks is an undertaking any leading organization should be prioritizing moving into 2021.

BEC and EAC are sophisticated scams targeting both businesses and individuals with authorization to transfer funds. The scam is carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to ultimately perform unauthorized fund transfers. Preventative techniques for this type of attack range from the implementation of technical controls as well as user awareness training to educate users and thereby limit the risk and impact of these types of attacks.

 

BEC and EAC Protection Tips

Organizations should train users to recognize common spoofing techniques such as domain name spoofing, display name spoofing, or typosquatting. Domain name spoofing is a technique that involves spoofing the sender’s “Mail From” to match the recipient’s domain. This can circumvent email banners indicating external origin. Additionally, the attacker may use legitimate headers and spoof the reply-to field. Display Name Spoofing involves registering a free email account that displays the name of a CEO or executive from within the organization. This is often successful as recipients may only look at the display name and not the email address. Typosquatting is a technique that involves registering domains that contain characters that resemble the legitimate domain. For example, Microsoft.com versus Mlcrosoft.com. A rushed or unsuspecting user may easily miss this subtle variation in characters used.

On the topic of training make sure to provide regular end-user training to reinforce stronger security awareness. Running regular phishing simulations will help create awareness for the most commonly used as well as highly sophisticated techniques. Triden Group’s TG Secure Pro can help organizations with this goal by regularly simulating modern social engineering techniques used by real-world adversaries in 2021, in order to train every level of employee. This combined with our robust security awareness training library will ensure every employee is seasoned against these types of attacks.

Because BEC and EAC attack target users who regularly perform wire transfers, it is critical these individuals follow a strict procedure that involves verifying any requests made regarding payment activities or information. This should be done through an established secure channel and through the previously documented contact information. It may potentially be beneficial to implement a two-person verification system for invoicing as this may effectively reduce the likelihood of a successful attack given one individual is compromised.

There are many steps an organization can and should take technically to limit the risk of an attack. This includes registering domain names similar to yours to protect against typosquatting-based attacks, ensuring two-factor authentication is enabled, and enforcing strong password policies for user accounts to aid in the prevention of brute-force attacks. Ensure your organization’s domain has implemented a valid SPF, DKIM, and DMARC record. Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) are anti-spoofing and email authentication techniques that use DNS records to validate the sender of an email.

A note on endpoint protection, email gateways, and network defenses; these controls can be effective at blocking spam and other malicious behavior. However, threat actors are constantly researching new ways to circumvent these systems through sophisticated pretext and exploitation of the human element.  To this end, it is paramount that organizations do not explicitly rely on these mechanisms and employ a defense in depth methodology that uses a combination of these and the procedural or non-technical controls we have described above.

References:

https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf