Business Email Compromise: What You Need to Know for 2022
Results are in from the FBI’s Annual Internet Crime Report and 2021 marked a record year for financial losses due to Business Email Compromise (BEC), a type of spear phishing attack. According to the report from the FBI Internet Crime Complaint Center (IC3), BEC accounted for roughly $2.4 billion USD in reported losses — an increase of 28% from the numbers reported in 2020.
What is the IC3
The FBI Internet Crime Complaint Center, or IC3, was established in May 2000 to serve as a mechanism to gather intelligence on cyber and internet crime. Each year, the IC3 publishes its findings to support both law enforcement and public awareness campaigns.
The Evolution of BEC
Understanding the evolution of threat trends is crucial to developing solutions and best practices that serve to protect users against the threats. BEC is a highly targeted spear phishing attack that relies on name recognition to convince targeted victims to complete the request. While spear phishing attacks require significantly more effort from the attacker than other tactics, the prospect of a larger payout makes it appealing. BEC began with relatively simple hacking or spoofing of email accounts belonging to key executives like the CEO, CFO, or other roles with financial authority, where the attacker would then send requests for wire payments to fraudulent bank accounts. Frequently, BEC involved compromised vendor emails, requests for W-2 information, or requests for large amounts of gift cards.
What current trends show is that attackers have shifted their strategies, taking full advantage of the explosion in remote work tools and platforms that have become standard for conducting business over the last couple of years. The IC3 has observed that attackers are increasingly leveraging the use of virtual meeting platforms to exploit their victims. In this emerging scheme, once an attacker has compromised the email of the targeted executive, they will use that to set up a virtual meeting to the organization’s employees. Upon initiating the meeting, the attacker may use a still image of the targeted executive, as well as to have the audio disabled or leverage the use of deep fake audio to easily explain away technical difficulties with the platform, and the attacker proceeds with the meeting with the aim of either instructing employees to initiate a wire transfer or to send wiring instructions to the compromised email account. These wire transfers are immediately transferred to cryptocurrency wallets and dispersed which makes recovery efforts highly difficult.
Building Your Defense Against BEC
Building your cyber defense to protect against BEC can be tricky because this type of attack focuses on tricking people, not technology, so the most effective defense has to include strategies that address both. zvelo’s Cybersecurity Team recommends the following practices to make your organization a hardened target.
Training and Awareness
Employees are your front line in mitigating cyber risk and arming them with the appropriate knowledge and guidance is critical to preventing BEC attacks. Train your users to look for and scrutinize anything that exhibits common tactics like a feigned sense of urgency or secrecy, vendor impersonation, and trick domain names. In addition to being able to recognize potential attacks, establish clear protocols for your employees to follow. Attackers count on their victims being unable to, or simply uncomfortable with verifying the validity of requests. Your employees need to understand who to notify, how to verify requests, or just what to do in general when suspicions are raised.
Basic Cyber Hygiene Best Practices
- Organizations need to implement multi-factor authentication (MFA) and have a good password policy in place that comprises complex and hard to guess passwords. Passwords need to expire every few months. Users with both admin and regular accounts must be required to set a unique password for both.
- Label external emails. Since BEC attacks are designed to impersonate internal email addresses, configuring your email settings to label anything coming from outside the company as external can help defend against this tactic.
- Ensure ports, protocols, and services that do not have business users are turned off. Those that do, need to be updated from legacy services (e.g. Turn off SMB v2).
- Ensure proper separation of permissions by conducting an audit on groups in your organization. Limit permissions to only those who need them and have a specific purpose. (e.g. Someone on the Engineering team doesn’t need access to the HR files.)
Check out the video from Geo, zvelo’s metaverse guide, with more highlights from the FBI’s 2021 Cyber Crime Report.