Do you feel sometimes that not even a week goes by without you hearing about another data breach or leak? Lately, the Equifax breach has received a lot of press as it involved a whopping 143 million consumers. WannaCry made headline news earlier this year too with its ransomware attack that infected more than 230,000 computers in over 150 countries.
If you work in security, this isn’t good news. You try to dot every “i” and cross every “t” with your security posture and policies. You’ve deployed employee training and tools to safeguard your data. You don’t want anyone inadvertently downloading malware on your watch. The reality though, is that there’s a lot to manage and keep up with, as cybercriminals are constantly finding new and more sophisticated ways to trick and steal from your organization in what seems to be in the blink of an eye.
Take the newest weapon in the cybercriminal’s arsenal: business email compromise (BEC). You may not have heard much about it yet, but it’s trending to be the next big threat in cybercrime—even worse than ransomware.
Business Email Compromise: Your Latest Security Achilles Heel
Cybercriminals are always looking for weaknesses in your defenses, and business email compromise is slipping under the radar, taking advantage of those flaws. BEC is an advanced identity deception type of threat where a perpetrator impersonates an executive (most common persona) usually via an email exchange. During this online conversation, the perpetrator convinces an employee or vendor to transfer money or sensitive data into a fraudulent account.
According to the FBI, over 5.3 billion dollars was stolen between Oct. 2013 and Dec. 2016 due to BEC alone. These bogus emails breeze right past your anti-virus, malware, and phishing tools because they don’t include attachments or high-risk URLs. Instead, they focus on identity deception using social engineering, email spoofing, and spear phishing. Furthermore, these nefarious emails are sent in low volumes, making them even more difficult to detect.
[View the Infographic: Business Email Compromise. Don't Be a Victim.]
How the Scam Happens
Here’s an example of how business email compromise works:
The perpetrator begins by targeting a couple of victims. The first person, they’ll impersonate as the email sender. The second, they’ll manipulate with their insidious email to take an action. These victims could be anyone with access to company financials, tax information, or personally identifiable information (PII). Typical personas include a controller, HR, executives, or someone in purchasing who has the authority to make wire transfers. The attacker then researches online looking for personal information from their company website and across various social media sites to develop profiles about them. With the availability of online information, building out detailed social profiles is practically a cakewalk.
Now that the perpetrator knows enough personal details about the victims and their organization, they send a (or several) spear phishing emails to the victim. This could continue for days or weeks to build trust. At this point, the perpetrator has officially hoodwinked the victim. They've had no idea that any of these online conversations were in fact, fraudulent. Instead, they believe these communications were business as usual. And why wouldn’t they? The perpetrators have carefully crafted such sophisticated and personal emails—it's difficult to detect any foul play.
The perpetrator continues this psychological manipulation a.k.a. social engineering until the timing is just right (an invoice is due etc.). At this point, the perpetrator convinces the victim to make a wire transfer to a different payment location controlled by the crime group.
Most Security Tools Can’t Stop BEC
Identity deception types of attacks are clever. As mentioned prior, they normally don’t include malicious attachments or risky URLs, so they bypass most security defenses. Signature/content filtering and sandboxing/URL rewriting, for example, can’t stop this type of attack vector. Likewise, rule-based identity detection and user training won’t work much better. Rule-based identity detection is only effective for a small percentage of attacks and user training can be difficult to adapt to new threats and doesn't scale well.
Mitigate Risk to Combat Identity Deception
As difficult as it seems, there are actually ways to combat email identity deception and BEC. Recently, the FBI has created an educational document (download the PDF here) with some useful tips on the subject. Here are three highlights:
- Establish more than one communication channel to verify sensitive transactions. Don’t rely on email alone.
- Separate IoT devices from your computer devices.
- Don’t offer up too much personal and sensitive data on your social media channels or your company website.
There is no one cure-all to win the cyberwar, but you can find ways to mitigate risk to stop the bad guys in their tracks or at least lessen their impact and frequency. Prepare now for BEC before your organization falls prey.