By The PhishLabs Team | October 13, 2016
To further our Cyber Security Awareness Month initiative in helping you be #CyberAware, we want to focus on a specific type of phishing tactic that has gained popularity in the last few years: Business Email Compromise, commonly referred to as “BEC.” As cybercriminals evolve their attack methodologies, they have learned from their mistakes and BEC is an unfortunate example of how they are circumventing technology defenses and exploiting organizations’ greatest vulnerability: employees.
When we talk about human vulnerability and social engineering, we often think of your general, hardworking employees who are too busy, uninformed, and unsuspecting of scams targeting their email accounts. But what happens when we turn the spotlight on your privileged users (ones that have system administrative rights), members of your finance team, or even your executive team? Suddenly, the stakes just got higher. Business Email Compromise often singles out individuals that have authority, system rights, or access to send funds.
After reconnaissance is completed and targets are selected an email is sent from a spoofed sender (usually made to look like it comes from an executive or other trusted source). These targeted email attacks are unique in that they often do not contain malicious attachments, links, or exploits. Instead, they rely heavily on social engineering techniques. The request in the spoofed email is often a wire transfer of funds or a request for employee data, generally sensitive in nature, like employee W2 information. Here’s another post where we discussed W2 phishing in depth: Digging Deeper into IRS Phishing Attacks: How Do They Work and Who are the Scammers Behind Them?
BEC attacks have become more prevalent since PhishLabs first blogged about them in May 2014, and tactics have evolved as scammers experiment and benchmark their successes, resulting in better targeting, more convincing scams, and greater losses. The FBI calls BEC an emerging global threat, warns of a dramamtic rise in BEC scams, and cites financial losses in excess of $2.3 billion.
Listed below are some tips and red flags to help mitigate the threat; make sure your users are informed! If your organization has an active security awareness program, ensure that you include a BEC example in your simulated phish, which should reflect real-world attacks. Here’s a report where we go more in depth on the latest updates to BEC attacks and it includes some examples of BEC targeted emails.
Look for Red Flags
If you can train your employees to spot the key indicators in a BEC attempt, you can reduce the chances of your organization experiencing damaging losses. Be on the lookout for the follow red flags:
- Email sent to recipients who are corporate executives at a targeted company.
- The email sender is spoofed to impersonate an executive at another company.
- The spoofed sender info uses look-alike domain names that closely resemble the corporate domain names of the organization being impersonated.
- The spoofed sender appears to be with an actual reseller or distributor with a pre-existing corporate relationship with the targeted organization.
- The body of the email instructs the target to pay all new or outstanding invoices via wire transfer to a new bank account.
- Attached to the email is a PDF document containing wire transfer instructions, including bank name, account number, etc.
Reduce Your Risk
We recommend organizations take the following steps to reduce the risk of falling victim to these attacks:
- Use filtering for messages that match known patterns detailed above.
- Work with your finance department personnel, so that they are aware of the BEC threat.
- Require validation of new banking information with trusted accounting contacts at suppliers, distributors, and resellers before authorizing transfer of funds.
- Share information and samples with security and fraud contacts.
In addition to alerting law enforcement, PhishLabs is providing financial institutions with information that will allow them to identify accounts used in this scam and flag them for fraudulent activity.