Business Email Compromise (BEC) attacks have become one of the most successful and damaging forms of Phishing, as attackers switch tactics to avoid detection and typical end-user awareness.
According to the NCSC and insurance provider AIG over 23% of all cyber insurance claims in 2018 were because of BEC attacks, even over-performing other popular attacks:
Ransomware at 18% and data breaches at 14% of total claims were relegated to second and third places. Total claims (for Business Email Compromises) in 2018 amounted to more than those in 2016 and 2017 combined.Source: https://www.ncsc.gov.uk/report/weekly-threat-report-6th-september-2019
Throughout the summer, we have worked with companies who have fallen victim to these types of attacks. Most were able to quickly spot the compromise before anything particularly bad happened, but some had to hear about it from their clients and customers.
So why are these attacks so popular with attackers, and what can you do to stop them? Well BEC attacks take advantage of two differences, ones more technical, the other more social:
- The phishing email you receive is actually from someone you know, and often trust. It’s not a faked address you can check, it’s actually from their account, which has been similarly compromised.
- Instead of malicious attachments, attackers are using file-sharing sites, like OneDrive, Google Drive and Sharepoint to host the attacks. This gets around typical methods of defence such as Anti-virus and web filtering because the content is being hosted on a trusted file-sharing site, plus unsuspecting users see a valid sharing site in the domain name and naturally trust the site more.
Let’s look at an example:
Because the email is sent from the sender’s actual email account the attacker can use their exact signature, and even customise the email to use the recipients first name and other details to make the email seem more genuine.
The purpose of the email is to get the recipient to open the link for the “shared file”, this then typically opens a browser to a mocked-up site looking like a sign-in page for that particular service and requesting the user to log in using their credentials, which the unsuspecting user does. Some of these attacks validate the users’ credentials as they type them in, meaning they can supply error messages if the user gets their password wrong. This is what is called a “man in the middle” attack.
Access to your email account…
What’s scarier than falling victim to the attack is what the attackers do next, they scour through your emails with two typical goals in mind:
- Harvest all of the email contacts in the email account and quickly re-send the same phishing email to all of their email contacts.
- Look through the users’ emails for anything that can be used in a further attack or fraud, either to take advantage of the company for financial gain or to gain greater access to the businesses systems and data.
An attackers activities in your email will vary depending on what their end goal is, financial gain, however, is a common goal targeting any company finance team. One common and easy to exploit method involves attackers altering invoices to use “new” bank details, which the unsuspecting client then pays.
Putting possible financial losses aside, your corporate email has been hacked. Anything that is in that account could now have been read and downloaded for later exposure, blackmail or exploitation. Many of us use our corporate email accounts for personal correspondences or transactions, leaving our personal lives now vulnerable as well!
So what can you do to stop, or prevent these types of attacks?
There are some basic steps you can do to stop attackers:
- It may sound simple, but to be well informed is to be well-armed. Awareness of these types of attacks can help improve your ability to spot these types of emails.
- Don’t just simply trust that email you have received is from your contact. Especially if they are asking you to do something different or there’s little context around the email request then be suspicious, pick up the phone and call them (just make sure it’s not the number on the bottom of their email).
- Turn on Multi-Factor Authentication (MFA) within your email accounts, this will help prevent unauthorised access because it means instead of just using your password there’s also a text message or code to enter to verify your login.
- Don’t be afraid to sound the alarm. If you spot something suspicious act on it, contact your IT support, even if it’s a false alarm – it’s better to be safe than sorry.
But what if my accounts already been compromised?
If you suspect you have already fallen victim, the first thing to do is to secure the account, change the password as quickly as possible and sign out of any locations (devices/browsers) it may be logged in, your IT service provider can help with this.
The next steps depend on several factors, like how long did the attacker have access to the account for, days/weeks/months? What was stored in that account (people often don’t think about what sensitive information is stored in their email and sent items), did the attacker get a chance to send any emails pretending to be you? Depending on these answers you may need to notify clients, customers or the authorities, especially if personal data was handled by the account.
All of this may seem daunting and scary, our advice is not to panic, but be decisive about your actions and don’t just hope you can sweep it under the carpet and move on, because this could leave you, your clients and their customers exposed.