As an increasing proportion of the workforce shifts to remote work, email usage will only increase. This is a dream for cybercriminals looking for more eyeballs on that inbox.
Funny to think that in 2020, despite the hundreds of ways to communicate digitally, sending an e-mail is still the preferred method of communication. Despite email being an antiquated digital channel with so many flaws and inefficiencies, the majority of the business workforce treats it as it’s digital filing cabinet and a single point of truth. It’s also the easiest and fastest portal for cybercriminals to tap for unlimited profit potential.
Robbery Never Sounded So Distinguished
Business email compromise (BEC) is a polite phrase for robbery and it usually involves substantial sums of money (felony grand theft). It is one of the subordinated attack vectors within third party risk and is a rapidly growing threat.
Why? Because it is easy, and the rewards are well worth the effort. BEC attackers find that smaller, less sophisticated, and improperly secured third party vendors are prime targets for credential harvesting, spoofing and the exploitation of group user IDs or email addresses.
BEC is Growing Rapidly
According to the FBI’s latest Internet Crime Report (ICR), losses from BEC scams amounted to almost $1.3 billion in 2018. This is double the losses in 2017, which stood at $676 million. And a Symantec study found that an average of 6,029 organizations were targeted by BEC emails per month during the 12-month period from July 2018 through June 2019.
Don’t Forget the Suppliers
When you implement a Third-Party Risk Management (TPRM) program, you need to focus on your third-party’s suppliers as well. You need to do that because those distant cousin suppliers’ email environments are compromise targets and bad actors use those accounts for supplier spoofing attacks. In other words, your third-party supplier’s BEC problem becomes your BEC problem.
If your supplier portal software provider has failed to implement controls like multi-factor authentication, whitelisting/blacklisting, and user behavior analytics, and you ignore or miss the absence or weakness of the controls, you are setting yourself up for a compromise of the supplier’s login credentials which leads to legitimized access to your payment network.
And it may not be from your contracted third-party provider, but instead from a contracted supplier within your provider’s supply chain.
The Flow of Criminal Activity
What follows after that intrusion is a set of emailed invoices and/or bank account change requests that appear to be from your supplier to someone in your payables department who will match the request with the contract on file and will execute the processing for payment.
In the case of executive spoofs, the email will appear to come from the legitimate email address of one of your C-level officers instructing your payables department to process a (large) payment (urgently). It will be the exact template that your corporate officer uses for normal communications.
Since everyone has a price, it is relatively easy to find an hourly employee somewhere in the supplier’s or your own labor ranks who might not share your enthusiasm for your company and is willing to assist in a fraudulent scheme wherein a share of the net can be distributed accordingly. Healthcare, multi-shift manufacturing operations, financial services, energy systems operators, large on-line retailers, hospitality, defense contractors are a few of the prime targets for third-party BEC attacks.
These insider threat vectors are instrumental in timing the BEC attacks around their knowledge of dates when unusually large payments are due, when key members of your or your supplier’s controls process are out of the office, and around long holiday weekends, company parties or all-hands meetings. Failure to control credential access following the departure of a disgruntled employee or worse yet, an employee who has been put on notice and remains on the job is a recipe for disaster, yet I am continually amazed at how few companies have these controls in place.
Non-Profit Organizations Hit Hard as Well
And despite its acronym, BEC is not limited to businesses alone. Organizations across all sectors present lucrative targets, especially those who implement only the minimum of security caution in their networks and systems environments.
In one recent example, the Saint Ambrose Catholic Parish in Brunswick, Ohio, discovered that it had been the victim of a BEC attack only because their third-party supplier (a building contractor) began dunning them for payment of past-due invoices in the amount of $1.75 million, the exact amount that the BEC scammers absconded with in their attack.
Through spoofing, the attackers were able to gain access to two employee email accounts which were subsequently used to trick St. Ambrose payment authorizers and processors into wiring the payments into a “new” bank account which appeared as a normalized change order to the building contractor’s contract.
Any online relationships between the parish and its donors or sponsors become links in the third-party risk chain that connect potential victims to threats through piggybacks on the parish network.
Does your company make automatic electronic contributions to non-profits?
The public sector, particularly smaller government institutions, is becoming a frequent target as well. In August, Cabarrus County, North Carolina, announced that it lost US$1.7 million to a BEC scam which originated when the staff received an email requesting that the bank account for the general contractor for the building of Cabarrus County’s new high school be changed. Upon receiving legitimate-looking documents, which included a signed updated electronic funds transfer (EFT) form and signed bank documentation, the county staff naturally changed the vendor’s banking information in time for the county’s scheduled vendor payment in December.
Does your company make automatic electronic property or other tax payments to the county in which your offices are located?
Cabarrus County has since announced that it is redesigning their vendor registration and maintenance processes and in a letter sent to parishioners, Saint Ambrose has said that the church would be reviewing its security strategy and systems to prevent similar incidents from happening in the future.
Guidelines for Preventing BEC
In order to not be that CISO, there are some things you should do to close the barn doors before the cows get out, starting with training:
1. Your employees, as part of your ongoing security awareness training program should be taught to verify any fund transfer request [no matter the amount] or any requests from employees to change their personal details such as direct deposit instructions, ideally in person but minimally through voice-to-voice validation that the request is legitimate.
2. They should question any emails requesting actions that seem unusual or aren’t following normal procedures.
3. They should be trained in identifying the red flags that indicate an email is suspicious, usually in tone and grammar, but also in “spoofed” email domains where the attacker has not been able to gain access.
4. They should understand the elements of various social engineering scams and your policies for interaction and relationships with members of your supplier organization.
5. You absolutely must implement multi-factor authentication for your online accounts. Community banks and credit unions are notorious abusers, ignoring the need for stricter account protection and the requirement for adding that additional layer of security beyond that of simple passwords.
6. Your payment policy should be altered to insist on verifying any changes in vendor payment location by using a secondary sign-off by supplier personnel and that should be done outside of the electronic communication channel.
7. While obvious, your employees need to understand how critical it is to never supply login credentials or personal information in response to a text or email regardless of whom the request appears to originate.
8. It also helps to stay current on your suppliers’ habits including the details of the contract, payment terms, out-of-schedule transfer requests, and an understanding of the organization, roles and employees.
Don’t Doubt the Power of AI in BEC Prevention
Today, in addition to security awareness training, all enterprises can benefit from affordable cloud technologies that use artificial intelligence (AI) and machine learning to defend against BEC attacks.
They do this by examining both behavioral factors and the implied intention of emails. Some of these can automatically recognize the DNA of a user’s writing style based on past written emails and use that as a baseline to compare legitimate emails with suspected fake emails.
Of course, the flip side of these technology advancements is always the same. BEC scammers will begin adopting these technologies to make their attacks even more convincing. Both ML and AI will be used to power audiovisual “deepfakes” that target or impersonate C-Suite executives. And we have already seen very convincing deepfakes that use only audio.
A BEC scammer using ML/AI deepfakes could easily target your senior financial executive or a trusted employee who has direct access to the CEO or other officer who could authorize money transfers. When the employee tries to verify the request voice-to-voice, the scammer can use audio featuring the CEO’s voice culled from previous recordings announcing earnings calls or appearances on TED talks, trick the employee into believing it is indeed the CEO’s voice on the other end ordering the transfer.
This is the future of BEC scams and if you’re not frightened, you should be. If it were my company and my shareholder’s money, I would verify in person, every funds transfer request, regardless of its origins.