Business Email Compromise

A cybercriminal phishes the victim using an email address that looks like a trusted email address

Domain spoofing

The cybercriminal creates a fake website or email domain to impersonate a trusted business or individual. Typically, the domain appears to be legitimate at first glance, and the differences may be subtle and hard to spot. 

Using stolen email credentials, the cybercriminal can view all conversations in the inbox, making impersonation easier.

Monitor communications

With access to an email inbox, the cybercriminal can easily research other employees and monitor ongoing conversations, particularly around invoices or payments.

Conceal activity

The cybercriminal can also take steps to hide their activities, such as setting up forwarding rules so that the user whose credentials have been stolen never see certain conversations in the inbox. Or the cybercriminal may move the conversation to a different email inbox.

Having established trust, the cybercriminal can encourage the user to bypass normal procedures and security through a variety of social engineering techniques.

The employees targeted in these attacks are often in HR or finance,  particularly in smaller organisations.

CEO fraud

Posing as the CEO, the cybercriminal instructs the employee to make an immediate payment because of a confidential transaction, such as an acquisition, or to purchase gift cards.

Fraudulent instruction

Posing as a vendor or supplier, the cybercriminal instructs the employee to change payment instructions for an electronic payment, so it goes to an account controlled by the cybercriminal.

Professional services firms are particularly at risk for incidents where the cybercriminal poses as a party in real estate/property sales or other transaction in order to misdirect payments.

Invoice Manipulation

The cybercriminal may pose as a vendor or supplier and send fraudulent invoices to misdirect payments.

Payroll redirect

The cybercriminal instructs an employee HR to change bank deposit instructions for employee pay.

Loan Fraud

The cybercriminal may impersonate several employees and subsequently take out several large loans in their name, with losses potentially in the six-figure range.

Other common forms of BEC include urgent requests to send sensitive data, such as employee tax statements

Train your employees to recognise and resist attempts at BEC, look carefully at unusual requests, use out-of-band verification, and resist the ways cybercriminals try to overcome your multi factor authentication (MFA).

Verify requests

Train employees on your procedures for authorized requests. Requests to change payment instructions or send sensitive data should be checked using out-of-band verification: don’t trust contact information the cybercriminal provided.

Avoid password recycling

Train employees on good password practices, including not reusing passwords for different accounts.

Phishing-resistant MFA

Train employees to avoid social engineering attempts to overcome MFA, such as multiple requests to approve access (MFA fatigue).

Recognize phishing emails and BEC attempts

Train employees to detect spoofed domain names and not to be confused by subdomains. Be alert for emails making unusual requests, particularly with a sense of urgency or secrecy.

Properly securing email accounts and better detecting phishing will help protect against BEC

Phishing-resistant MFA

Not all forms of MFA are equally secure. MFA should be configured to protect against social engineering attacks. While one-time passcodes and push-based notifications are not as resistant to these attacks, FIDO2 hardware tokens have been more successful. Block legacy email protocols that don’t support modern authentication.

Reduce exposure to phishing emails

Implement measures that could change the way suspicious emails are handled (SPF, DKIM, DMARC) Consider blocking email from new domains, which may have been set up by cybercriminals for phishing.

Patch on-premises email servers to deprive cybercriminals of any low-hanging fruit.

Missed payments may not be noticed for 45 or 60 days, so it’s important to look for signs earlier.

Restrict login attempts

Set an alert for a number of unanswered MFA prompts to prevent MFA fatigue. You can set an access policy to lock after 5 or 10 unanswered attempts.

Monitor changes to logging and configuration

Unusual changes to existing rules (such as those involving the RSS folder) or new external forwarding rules may be early signs of activity related to BECs.

Place a litigation hold on the targeted mailbox to preserve the mailbox content. Make sure logging and log retention options are configured correctly.

Turn on MFA if it was not enabled. Reset passwords for all accounts used by the targeted user on their work device, whether personal or work.

Check the list of registered devices associated with the targeted user; the cybercriminal may have enrolled an additional device for MFA acknowledgements. And look at activities in message clients such as Teams, Slack, or Gchat where additional sensitive information may have been shared.