What is the Risk?
The risk is high.
The Verizon 2021 Data Breach Investigations Report lays out the statistics quite clearly. Comparing the three types of attacks - Business Email Compromise (BEC), Computer Data Breach (CDB) “Hacking” and Ransomware - there were 7 times the number of incidents of BEC. [BEC = 19,000; CDB = 2,780; Ransomware = 2,480]
While not all incidents ended with the victim losing money, BEC came in number one here again - having the most incidents leading to a loss.
The median loss to a BEC incident, reported by Verizon in 2021, was $30,000 USD. The FBI Internet Crime Complain Center (IC3.gov) reported over $1,800,000,000 USD in losses in 2020.
What is the Challenge?
BEC attacks - compared to CBD (Hacking) or Ransomware - are technologically unsophisticated. They tend to fall into two different approaches - Internal Impersonation & Changes to Vendor Details.
Internal Impersonation attacks come from an external email source, but try to convince the recipient that they are from another employee - usually CEO, CFO, Director of Finance, etc. They hope to leverage this impersonation to get money sent to the attacker. Changing Vendor Detail attacks involve having the Accounts Payable team update the payment information for a valid vendor, so that legitimate invoices get paid to the attacker.
Let’s review the Change Vendor Details Kill Chain.
JP Morgan Chase lays out the kill chain for this attack quite nicely - Page 2 of the linked PDF if you’d like to follow the graphic.
Step 1. An attacker gathers information on the target organization - from publicly available sources - to determine who in the organization to specifically target.
Step 2. A phishing email is sent to the specific person being targeted.
Steps 3 & 4. User clicks on something malicious in the email and their mailbox gets compromised.
Step 5. The attacker uses their newly gained access to create a mailbox rule that will forward messages with certain keywords to an email address they control.
Steps 6 & 7. A legitimate vendor sends and invoice, the invoice is forwarded to the attacker.
Steps 8 & 9. The attacker uses deception to convince the target to change the payment details for the vendor that sent this invoice.
Step 10. The target organization pays the attacker the value of the legitimate invoice.
As you can see, the Change Vendor Details attack relies mostly on deception, but does require some technical sophistication.
By comparison, the Internal Impersonation attack relies almost exclusively on deception - exploiting social engineering techniques to get an accounting team member to transfer funds (or buy gift cards) to an account the attacker controls.
How do we Prevent BEC?
The lower technical sophistication of these attacks provides opportunity for us to prevent these attacks with a mix of technical and non-technical responses.
These are policies, procedures and training. One policy, two procedures and cyber security awareness training.
We will start with policy first - because it also addresses the first step in both attacks.
The first step for the attacker is to use social media (LinkedIn, Facebook, etc.) to get details on your staff. In both attacks they are looking for the people that they are going target, specifically the AP team. In the Impersonation attack, they are also looking for the CEO or VP Finance, so they can impersonate them.
A policy restricting information about position and job function on social media will make it harder for attackers to target the AP team. For example, an AR team member would find if very suspicious if they got an email from the CEO requesting an emergency wire transfer, because it is outside the scope of their duties - and this knowledge would be available internally.
The two procedures that need to be in place are very applicable to these two attacks:
- Payment Authorization Process
- Vendor Account Change Process
The Payment Authorization Process needs to be clear on who can authorize payments and how it will be done and needs to be understood by all parties involved in the process. The specifics will be unique to your organization. Discuss this with your organization’s Accounting/Finance department to determine a robust process, that won’t grind the business to a halt, while still making it very hard for an impersonation attack to be successful.
For the Vendor Account Change Process JP Morgan recommend having an Authorization List with contact information for all vendors - names and phone numbers for the people at the vendor that can approve updates to the account details. Your AP team would be required to contact someone by phone, from this list and get the specific changes this way. An incoming call or email, under this process, initiates a callback from your organization to the designated people on your list. Updates to your list need to follow the same process.
Security Awareness Training - your AP team are targets. They need to understand that people are going to be targeting them. While you will probably have some/all of the technical responses we will talk about shortly in place, those aren’t a guarantee, so the staff need to be familiar with the types of attacks that are coming.
Following the best practice of Defense in Depth, we need to take a multi-layered approach to dealing with BEC.
There are controls that need to be put in place at the edge of the network, scanning tools that need to be run against mailboxes, additional authentication and finally extra logging. At the edge, we need to have email getting scanned for viruses in attachments and filtering based on common email “hygiene” features: SPF, DKIM and DMARC. (Your organization should have these in place, or a plan to implement them.) Incoming email should also be labelled - at the top of the content of the message - to indicate that it has come from an external source.
These controls will help reduce the number of attacks that make it into mailboxes and having the external label will make it easier for users to spot impersonation attempts.
Scanning all mailboxes for rules that forward email make it harder for attackers implement a Change Vendor Details attack.
Multi-Factor Authentication (MFA) can help reduce risk, as it makes it harder for attackers to compromise your systems.
Finally, extensive logging can help with remediation if an incident happens.
What to do if it happens?
If your organization has had an incident:
If you are in Canada
- Call your bank
- Report the incident to the Anti-Fraud Center
- Contact your local police (RCMP, etc.)
If you are in the US
- Call your bank
- Report the incident to the FBI Internet Crime Complain Center
- Report the incident to your local FBI field office & Local Police
Based on the prevalence and simplicity of these attacks, it seems likely that every organization will eventually be targeted. Beyond the Technical and Non-technical Prevention techniques discussed above there are four additional Preparation steps that should be performed.
Discuss this risk with your Legal Counsel, with your insurance team and with your Bank; additionally you can prepared by walking through a tabletop exerecise.
In my research for this article, I came across a blog post by the law frim Faegre Drinker about how the courts assigned responsibility for losses in two different cases of Business Email Compromise. The two cases did not have responsibility assigned the same way. Review this with your legal team to see if you need additional controls or processes.
Talk to your insurance team to see if BEC is covered under any of your policies.
Pre-emptively call your bank and discuss their process for handling a BEC incident, document this process internally.
Run a tabletop exercise as a way to practice your process and evaluate it, it’s better to see if you need to make changes in advance. Here is a link to a tabletop scenario, similar to a BEC incident, that is a decent starting point.
Business Email Compromise attacks are common and having been generating large payouts for criminals. While Ransomware attacks are getting into headlines, BEC scams are quietly making money. These attacks are not overly sophisticated, which makes them easier for less technically skilled criminals. However, their lower technical requirements allow for a variety of preventions - technical and non-technical - that can be marshalled against these attacks. These attacks have been ongoing and persistent, your bank and insurance providers (are likely) very aware of them and have processes in place to deal with them. Law Enforcement in North America has been dealing with this problem and the judicial system appears to be starting to work through this issue. How does your organization’s preparation stack up compared to the preventions outlined above? Which are in place? Which need to be updated? Which need to be implemented?