By Elena Georgescu, Communication & PR Officer at Heimdal™ Security
When talking about business email compromise, we cannot omit to mention two aspects: technology and money. Technology is the engine that moves humanity forward, allowing us to conquer new horizons, and money, whether we like to admit it or not, is the fuel that makes this technological progress possible. In cybersecurity though, there are people that care more about money than evolution, using technology to their own benefit. Such is the case for business email compromise attacks, one of the most financially damaging online crimes.
Business email compromise/email account compromise/man-in-the-email is a type of cyber attack in which criminal hacks into an email account and impersonates the real owner in order to gain financial benefits from the company, its customers, partners, and/or employees by tricking them into sending money or sensitive data.
How do hackers get access to your e-mail?
By spoofing an email account or website
One of the main B.E.C. tactics is to use slight variations on legitimate addresses to fool victims into thinking fake accounts are authentic – like firstname.lastname@example.org versus email@example.com.
By sending spearphishing emails
Spearphishing emails look like they’re from a trustworthy person, but they only trick victims into revealing sensitive information, allowing criminals access to company accounts, calendars, and valuable data.
By using malware
When orchestrating a BEC attack, hackers might also use malicious software to infiltrate into company networks, get access to email threads, and then sending messages that would not raise any questions.
By using social engineering
It’s not uncommon for cybercriminals to use employees’ existing social habits against them. They might call or send an email stressing the urgency of the matter, usually at the end of the business day or week. This is not always the case, though, since they might also try to blend in, establish a conversation, build a friendly relationship, and then ask for sensitive information at a later date.
B.E.C. history and attacks
Business Email Compromise attacks have been on the FBI’s radar since 2013. The scammers are believed to be members of African, Eastern European, and the Middle East organized crime groups. High-level executives and people working in the finance department from companies of all sizes are the most likely targets of cybercriminals.
The Austrian aerospace firm FACC AG, the Dublin Zoo and Save the Children USA are only three of the business email compromise attack victims.
Back in 2016, FACC AG, a major designer, and manufacturer of aircraft components and systems, with a client base that includes Boeing, Airbus, Rolls-Royce, Siemens SAS, and Mitsubishi Heavy Industries, lost €50 million in a business email compromise incident which also got their CEO fired. The criminal activities were executed from the outside of the company. The Austrian Criminal Investigation Department was immediately announced and investigated the attack.
Save the Children USA fell victim to a B.E.C. attack in 2017 when hackers got access to an employee’s email account and used it to make a profit of $1m by pretending the money was needed to pay for health center solar panels in Pakistan. Unfortunately, attacks on charities are not rare and this incident with Save the Children USA is not singular.
That same year, the Dublin Zoo lost nearly €600.000 due to a business email compromise attack. The incident was immediately reported to the Garda National Economic Crime Bureau and Ireland’s national police service.
What can you do to prevent a business email compromise attack?
When it comes to preventing B.E.C. methods, there are both online and offline tactics that can be used.
- Protect your systems
It’s highly important to use a good firewall and a good antivirus that can regularly scan your devices in order to prevent malware infections. It’s equally important to keep your systems updated – pay attention to security alerts and deploy security patches. Don’t forget to enable spam filters and block all access to suspicious websites and make sure you have a good password management policy for all your email accounts. Last but not least, take care of your passwords – they should include numbers, symbols, capital, and lower-case letters.
- Make vigilance your second nature
This vigilance should come in several forms, especially when it comes to “urgent” payment requests:
– look very carefully at the email address of the sender – usually compromised email addresses have only one different letter in comparison to the original ones.
– if you receive an email including a change of payment method or bank account, do not reply directly to that email – always contact the payment received through another means of communication to verify the authenticity of the claim.
– get used to also verify the authenticity of the websites that may appear in the received emails – always hover your mouse over links before clicking them and make sure that their URL includes HTTPS.
– it would also be recommended to pay attention to how you handle sensitive data at home, not only at work since you never know who might be watching you – don’t post private information on social media, use different passwords for every account and shred all confidential documents.
- Know the usual B.E.C. scenarios
The main tactics that hackers use to perpetrate B.E.C. scams are a false sense of urgency, a trick domain name, and impersonation of a vendor. All of them, especially the last one, implies emails that seem very legitimate. Usually, in the case of vendor impersonation, the domain name is genuine, the transaction seems legitimate and has even proper documentation, but the payments would be directed to an account that the hackers control.
What should you do if, despite all the precautions, you become a victim of a B.E.C. attack?
– alert your bank about the fraudulent transaction – they should immediately try to recall the funds. It is possible to get your money back within 24-48h after the attack.
– gather all the transaction’s documentation and the emails or invoices you received and report the incident as soon as possible to the local police, identifying it as “Business Email Compromise” or “BEC”.
– think about consulting a lawyer in the country where the money was deposited.
– prosecute an internal review to see what happened, who was involved and what processes allowed the attack to happen.
Business email compromise attacks are so dangerous because they target not only electronic systems, but also the human factor – they rely on someone being gullible enough and tricked into sending money. Good cybersecurity education and excellent software solutions (for your endpoints, network and email) are the only ways to work your way around cybercriminals’ malicious intents.
About the Author
Elena Georgescu is a Communication and PR Officer at Heimdal™ Security, a leading European provider of cloud-based cybersecurity solutions. At Heimdal™, she combines her passion for reading and writing with her desire to make a positive impact on the world – through education. Elena can be reached online at https://www.linkedin.com/in/elenafeliciageorgescu/ and at the Heimdal™ Security’s website – https://heimdalsecurity.com/en/ .