How To Stop Business Email Compromise Attacks in Your Email Networks
Find out how a combination of analysts and BOTs can identify cybersecurity threats in your email networks.
Business email compromise (BEC), a sophisticated phishing attack targeting business email networks, was the top cybersecurity-related crime according to The FBI 2020 Internet Crime Report. In this article, Bruce Potter, CISO, Expel, details how a combination of analysts and BOTs can identify potential cybersecurity threats before they become a problem.
Everyone has a bad day now and again, but cybersecurity professionals everywhere saw a spike in attempted attacks last year as entire workforces shifted to remote working environments at the start of the pandemic. When lockdowns went into effect and employees transitioned from business offices to home offices, literally overnight, bad actors preyed on business email networks, leaving companies that were struggling to overcome massive operational changes already newly vulnerable to phishing scams.
In fact, the top security threat to U.S. businesses, and most costly cybersecurity crime in 2020, was business email compromise (BEC), a sophisticated email-based phishing scheme that costs U.S. businesses nearly $2 billion by the end of the year. According to the FBI, BEC attacks cost businesses more than any other type of phishing scam in 2020.
“Business email compromise (BEC) schemes continued to be the costliest: 19,369 complaints with an adjusted loss of approximately $1.8 billion,” writes the FBI in its 2020 Internet Crime Report.
Business Email Compromise (BEC) Scams Surge During the Pandemic
Data from Expel’s own security operations center (SOC) mirrors what the FBI reported. BEC attacks accounted for nearly 60% of the incidents we identified; that number jumps to a staggering 97% when we look at the number of cloud-related BEC incidents.
BEC can happen to businesses of all shapes and sizes, with bad actors creating fraudulent email addresses used to harvest information from unsuspecting victims. Most BEC attempts involve an attacker impersonating or compromising a company executive’s email to deceive employees of the company, requesting they share sensitive information. Often the attacker will use social engineering techniques to gain the trust of their victim. While BEC is frequently associated with wire fraud scams, it goes well beyond wire fraud schemes, BEC attacks also tend to focus on payroll, romance, real estate and lottery scams.
Last year, 29% of our customers experienced at least one BEC attempt among those customers, 69% experienced multiple attempts. The most common type of BEC attacks our security operation center (SOC) spotted in 2020 were credential harvesting attempts against Office 365 users.
Many BEC and other phishing attacks mimicked COVID-19-related topics, like the CARES Act for unemployment insurance, along with pandemic relief and food security funds, corporate-led improvement projects, and investments in COVID-19 programs.
Learn More: Rise in Phishing Scams Emphasize a Need for AI in Email Security
Why Businesses Continue To Be Hit so Hard by Phishing Scams
Phishing, and by extension BEC, crimes are popular because they offer a low barrier of entry for attackers. It’s a cheap and easy crime to commit, with phishing kits readily available for anyone looking to penetrate an organization’s data networks. Attackers use phishing kits to target various types of credentials, aiming to harvest sensitive user information. They then use that information to access secure systems.
Kits that target SaaS app credentials are especially popular when it comes to BEC attacks.
Bad actors create phishing emails with links to credential harvesting sites that impersonate webmail login portals or user authentication sites. Once a user enters their information, it renders the entire network vulnerable, giving cybersecurity attackers access to classified data stored within a business’ cloud applications.
The significant uptick in phishing and BEC attacks underscore just how vulnerable business networks were during the pandemic. When so many workforces switched to remote working environments last year, many businesses migrated all of their SSO (SAML) authentication, a standard for logging users into applications using a single sign-on login process behind one gatekeeper.
Attackers were creating fake pages impersonating those gatekeepers and serving them up to end-users. When users then entered valid credentials, attackers were able to bypass multi-factor authentication by intercepting session tokens.
Learn More: 4 Pillars of AI-Based Email Security
How Businesses Can Better Secure Their Email Networks Against BEC Attacks
While the number of BEC incidents we saw in the past year is concerning, there are several steps that organizations of all shapes and sizes can take right now to keep their data more secure, better protecting themselves against these types of attacks.
One of the most important things you can do to lessen your chances of getting hit with a BEC attack is paying attention to geolocation records to understand where logins are coming from. Expel was able to detect 68% of BEC incidents using geolocation records for our customers.
All organizations should enable multi-factor authentication (MFA) for all employees, a login process that requires a user to provide two or more pieces of evidence to verify their identity. Thirty-five percent of the BEC incidents identified by Expel could have been avoided had the organizations implemented MFA. Modern authentication, an identity management process that uses a combination of authentication and authorization protocols, is also an effective tactic (7% of BEC incidents we identified could have been prevented using modern authentication).
Lastly, simply being aware of common BEC schemes and monitoring your email networks to detect any suspicious activity can be effective when trying to root out phishing scams.
For example, look for inbox rules that contain BEC keywords, watch for automatically deleted messages or redirected messages to an external email account. These are all potential signs that an email network may be compromised. Other suspicious activity to watch out for: The addition of new mailbox delegates or a new mailbox forwarding rule that goes to an external address. Logins from proxy or VPN services, and successful mailbox logins within minutes of denied logins are also activities to keep an eye on.
As long as there are business email networks and cloud applications, there will be bad actors doing everything they can to infiltrate systems — and they’re finding new ways to compromise orgs every day. To reduce your risk, stay informed of the latest phishing and BEC attempt trends, and make sure you’ve got the right security signals and a team in place to detect potential suspicious activity in your networks.
Did you find this article helpful? Tell us what you think on LinkedIn, Twitter, or Facebook. We’d be thrilled to hear from you.
