Business Email Compromise: How It Happens and Why You May Be at Risk

Classic literature, cinema, and other media have cleverly played on the “mistaken identity” trope for centuries. Shakespeare’s “Twelfth Night,” Hitchcock’s “North by Northwest,” the Coen brothers’ “The Big Lebowski.” While mistaken identities may rarely happen in reality, they have never been easier to achieve with the advent of email. Rather than having to physically appear, sound like, or even share a common name (like Lebowski) to convince someone of their authenticity, these days it only takes one email address to control perception and manipulate a recipient.

Since its creation and subsequent wide-spread usage, email has become critical infrastructure. Personal email accounts provide credentials to individual purchases and accounts, government accounts can engage and organize community members, and business email accounts hold the power to conduct wire transfers, give insights to a network, and a plethora of other valuable conversations. While any of these accounts in the wrong hands could yield anything from inconvenience to disaster, we see that Business Email Compromise (BEC) often does some of the worst damage.

BEC: How It Happens

BEC is often comprised of several deception methods, and often for several different motivations from a threat actor’s perspective. The traditional makeup of a BEC attack unfolds in four stages according to the FBI. Organized crime groups usually begin by identifying a target, grooming them for the best entry method, exchanging information, and often committing fraud for financial gain. Whether through readily available information on the target’s website or social media platforms, a threat actor will often do their homework before attempting to deploy a BEC attack when “targeting.”

Once a target is identified, next comes a “grooming” stage. This stage may include social engineering tactics designed to gather more information or even to gain the trust of employees within an organization. Technical tactics along the lines of general phishing campaigns, targeted “spear phishing” attempts, or even everyday phone calls may be used during this grooming phase to virtually connect with employees in hopes of manipulating them in later stages.

Grooming a target for a BEC attack may take up to several weeks. Still, threat actors are usually working towards a quick payday, hence why they move onto exchanging information as quickly as possible. To appear to be from a trusted source, threat actors may attempt to spoof an email address or website by slightly skewing an organization’s normal naming convention. For example, if your company’s email naming convention is “[email protected],” then a potentially unnoticeable skew could be “[email protected]” or even “[email protected]”. At first glance, these spoofs appear to be legitimate, and therefore offer more leverage for a threat actor to convince an end user to bend to their will, or simply passing by the user’s notice.

A New Threat to a Traditional Attack

In addition to spoofing, threat actors also have a full arsenal of social engineering and technical maneuvers to help them achieve their goals. As COVID-19 specific scams have increased recently, the FBI has announced a warning against this threat:

“…Phishing emails [can be] designed to steal email account credentials. Cyber criminals use phishing kits that impersonate popular cloud-based email services. Many phishing kits identify the email service associated with each set of compromised credentials, allowing the cyber criminal to target victims using cloud-based services. Upon compromising victim email accounts, cyber criminals analyze the content of compromised email accounts for evidence of financial transactions. Often, the actors configure mailbox rules of a compromised account to delete key messages. They may also enable automatic forwarding to an outside email account.”

As stated by the FBI, once BEC occurs, there are several options a threat actor may have to either escalate an attack from malware to ransomware, or to commit wire transfer fraud, or even to manipulate inbox rules for further unauthorized access to internal communications. In the COVID-19 era, the FBI has seen an unfortunate increase in spoofing the login screens of popular email providers as mentioned above. An example of a sophisticated spoof from a recent Tetra case is shown below:

The authentic login screen:

A screenshot of an authentic Office 365 login screen

The spoofed login screen:

A screenshot of a spoofed Office 365 login screen.

Further insights from Microsoft on how to spot spoofs are also available on their help website.

How to Safeguard Against BEC

While BEC can encompass several forms of deceptive cybercrimes, and can be difficult to spot during the act of communicating. Luckily, there are some tell-tale signs of how this crime unfolds, and how to prevent it. In an effort to keep legitimate email accounts from being compromised, Tetra first recommends implementing unique accounts (one account per person), unique passwords (one password per account), and a password manager to ensure strong passwords are used across an organization’s toolset, and that passwords are not repeated. Maintaining unique passwords for accounts is especially important in the case of breaches that happen outside of the organization, as any breach can yield account credentials. If those credentials are duplicated across multiple accounts, threat actors are sure to find them and use the stolen credentials elsewhere.

Tetra echoes SentinelOne’s equally important technical safeguards such as implementing Multi-Factor Authentication (MFA) — both technically and as a philosophical principal. Before BEC leads to financial damages like wire transfer fraud, be sure to have a system in place that verifies the authenticity of the 2nd party via a phone number or other credential that was not shared in a similar email thread. When logging into existing accounts, implement MFA as a safeguard against threat actors who have come into contact with stolen credentials, as they will more than likely not be able to bypass a second method of authentication if they only have a password and email address.

Further recommendations for IT administrators specifically include adding email banners to messages that alert users whether a message comes from an internal or external email address. Alerts should be set up to track and notify IT when suspicious activity occurs such as logins from un-approved or drastically far away locations. Authentication measures such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) should also be configured to ensure authenticity of email addresses.

Keep End Users Aware

BEC is one of many forms of cybercrime that sheds light on how much a threat actor can get away with along the premise of mistaken identity. Under the guise of false pretenses, we’ve seen numerous organizations fall victim to scams from “trusted” senders. While technical mechanisms can help serve as safeguards against BEC, security training is what can actually equip employees with the knowledge and experience required to stop BEC before it happens. Tetra is a firm proponent of awareness programs and employee security training initiatives — they are critically important for protecting the sensitive data that organizations possess, and employees benefit by learning how to recognize social engineering tactics and other malicious activity.

It may be difficult to appear as a different person in reality, but it has never been easier to deceive people via email or phone. While the classic media trope may have trouble adjusting to this new technology, threat actors have and will continue to use it as a critical part of their everyday tactics.

Check out some related content on our blog: