Ransomware has dominated the year’s headlines, but Americans suffer far more damage from business email compromise than any other attack, according to the FBI. The feds reported earlier this year that business email compromise cost more than $1.8 billion in 2020. Throw in business email compromise’s cousin of phishing, and you can tally another $54 million in damages. The boom in business email compromise (BEC) attacks means you should make it a top priority to train your team to spot this scam.
BEC attacks use sophisticated techniques that can trick all but the most attentive email users. Attackers typically impersonate a legitimate contact asking for a transfer of funds. But when victims send the money, it lands in a bank account controlled by the bad guys. The hackers quickly convert the money to crypto currency or shift it into other untraceable channels. It may be days before you even know you sent the money to an imposter.
Hackers typically send an email that seems to be coming from either a co-worker or a legitimate vendor. And, in fact, the bogus message may be coming from a legitimate account that hackers have overtaken. The hacker may even be talking about a legitimate payment you’re expecting to make. The only difference is the account they have you send it to.
The examples below show how BEC attacks work and red flags you can watch for to ensure you don’t fall prey to this ruse.
1. Spoofed address – Look carefully at the actual domain name, not just the sender’s display name. This spoofed domain has an extra character in the company name.
2. Malicious link – This link actually leads to a credential harvesting site. Hover your mouse pointer over the link before clicking it to confirm that it's going to the expected address.
3. Real data used to fool you – Because hackers may be monitoring your email, they may jump into a legitimate thread. In this case, the first message in the sequence came from a real vendor talking about a real invoice. The hackers have inserted themselves and took over the discussion, cutting the real vendor out of the thread.
4. Timing – This is a fake email from the scammer, who sent the request late in the week, hoping to catch an employee rushing to complete tasks before leaving.
5. Suspicious attachments – If you’re not expecting an attachment, don’t open it. Call the sender to confirm it’s a legitimate file.
6. Sudden change in normal procedure and/or urgency – Be extremely wary of changes in deadlines, bank accounts, etc. Call your contact to confirm what’s happening.
7. Unusual name usage – Hackers posing as legitimate contacts often fumble the details of names, so pay attention to any discrepancies, such as someone who normally goes by “Michael” signing a message as “Mike.”
For help with training your team to spot BEC or creating a simulated phishing test for your organization, contact Pratum today.
If you could put a CISO on your team for one week, where would they set your cybersecurity priorities? Pratum’s Jeff Hudgens gave his answer on a recent cybersecurity panel hosted by Iowa’s Secretary of State. Jeff, an experienced cybersecurity pro now serving clients as a Pratum vCISO, framed the advice he gives clients into two categories:
If Jeff were starting his own company today, he’d start setting cybersecurity priorities with these four fundamental steps:
Too often, Jeff sees organizations fumble the follow-through on their public statements about cybersecurity. Social engineering training provides a common example. “Leadership sets the tone,” Jeff says. “The C-suite can’t be exempt from testing or skip the training.”
Leaders also must commit to taking security frameworks seriously, which means choosing the framework that actually fits your business. “Controls are there because they’re right for your business, not just because they’re something you do to simply check a box. Make sure the controls you select are reasonable for what you do.”
“Most people focus conversations around data, which is a key piece. But think about the systems the data is on.” Jeff frequently hears clients talking about protecting their data, but they balk at spending money to update the 8-year-old servers the data sits on. “You’re kind of stuck on what you can do with that,” Jeff says, “and you’ll introduce vulnerabilities around that.”
Staff time represents another asset to manage carefully. Jeff points to the example of a CIO who is personally making changes in Active Directory, which means the CIO ISN’T thinking about strategic direction. It makes business sense to invest in some entry-level help to free up leaders to lead the organization.
“You have a limited budget for IT and security,” Jeff says. “If you’re not doing risk assessments and keeping a risk register, then you’re not using facts to drive your program and where you put your effort.” Make sure your program for identifying and ranking risks is driving your decisions.
Set manageable goals. “I see a lot of organizations try to pack five years worth of work into a year and a half, and that just stresses the team,” Jeff says. He recommends turning a large portfolio of risks into ranked priorities that you can tackle and cross off the list. “Let’s just move the ball down the field rather than trying to score a touchdown.”
With the right first steps, you can turn to five areas that Jeff recommends as a focus for your limited resources.
Start with a comprehensive information security risk assessment, which forms the cornerstone for your entire security program. During a risk assessment, an experienced consultant takes a deep dive into every corner of your information security approach, including written policies, software updates, employee habits and more.
Along with that risk assessment (which many companies conduct annually in order to keep up with changes in the organization), be sure to include ongoing vulnerability scanning and recurring pen tests in your plan. “Many people don’t put vuln scans and pen tests in the budget,” Jeff says. “But they provide some of the best returns on investment.” Vuln scanning provides automated recon that spots known vulnerabilities in your system. In a pen test, an ethical hacker acts like a threat actor and tests your defenses. Whether the test goes after your internal or external infrastructure, Jeff says you’ll get the most actionable information possible about your security posture.
He also recommends creating key metrics for measuring performance and potential risks over time, providing important benchmarks of your progress. (That kind of data is critical to securing ongoing budget for these tests.)
Many organizations lack written information security policies. And many policies are written in ways that are unenforceable. Jeff advises dedicating real thought to these key documents. “Think carefully about your policies. Make sure you cover what you want to cover. Make sure they’re actionable, but keep them reasonable and don’t let them get draconian.”
Jeff puts an especially heavy emphasis on developing a thorough incident response plan. “If I were focusing on one key piece, it would be an incident response plan.” A recent IBM study showed that companies that keep a written incident response plan and test it regularly reduced the cost of a data breach by an average of 55%.
Improving every employee’s security awareness clearly pays off, considering that about 80% of all data breaches involve some kind of social engineering. Training and simulated phishing campaigns work—if they’re well-planned, well-executed and given time to work. Jeff emphasizes that organizational leaders should stop thinking of end users as the weak link in security programs and start enlisting them as frontline defenders.
“If you can’t see it happening in your system, you can’t fix it,” Jeff says. That’s why he considers a monitoring solution such as SIEM essential—and a next-gen protection platform such as managed XDR even better. IBM’s study showed that organizations that had security AI and automation in place spend 80% less handling a breach.
Supply chain attacks have been growing exponentially for months. In attacks like the famous Kaseya breach of 2021, hackers slip malware into a supplier’s system, then let it quickly cascade out to all of their partners. And Jeff notes that small businesses shouldn’t count on their obscurity to protect them. Hackers often use small companies as their entry point into the larger companies that they serve through the supply chain.
To learn how Jeff or another Pratum vCISO can help set up your specific cybersecurity strategy, visit our vCISO service page.
“Should we call the cops?” It’s one of the first questions inside the war room of most organizations facing a data breach. And by “cops,” most of us are thinking “FBI.” But will the FBI actually care about your case? Can they help before you even understand what happened? Who would you even call if you wanted to?
FBI Special Agent Dean Neubauer, part of the Omaha, Nebraska, Field Office’s cyber squad, recently joined Pratum on a panel hosted by Iowa’s Secretary of State. Agent Neubauer’s team includes analysts, computer scientists and CART personnel (the Computer Analysis Response Team that handles digital forensics). His insights reveal what you need to know about working with the FBI on a breach—including steps you can take right now before a breach hits you.
“Outside of very large ransoms, we see the most damage from business e-mail compromise (BEC), on the order of about $2 billion in business loss per year,” Agent Neubauer says. “A week and a half ago, we dealt with an Iowa company that was a victim of a compromise that cost them $2.3 million.”
BEC scams typically involve a message that seems to come from a co-worker or trusted vendor but includes a bogus link. For example, Pratum recently worked a case in which an accounts payable employee unwittingly sent a $400,000 payment to a malicious actor’s bank account. The hacker inserted themselves into an e-mail thread about a real invoice, then fooled the employee into using a new account number.
In the case Agent Neubauer recently worked, a hacker took control of the company CFO’s e-mail address and tricked employees into transferring funds. The typical cause of these breaches is someone using the same password in multiple places, which makes it far easier for hackers to steal credentials.
Clearly, your best strategy is to never need the FBI’s assistance. To secure your system, Agent Neubauer emphasizes several cybersecurity basics.
Notify the FBI as soon as you suspect an attack. For example, your team may spot a phishing e-mail before anyone in your office falls for it. Telling the FBI about it lets them add the spoofed domain to the files accessed by offices nationwide.
Some organizations hesitate to call the FBI because they fear word will get out about their breach. But Agent Neubauer says the FBI won’t leak the information. “We won’t go to the media, with the exception of issuing a press release following an arrest,” he says. If you hear that a victim company is working with the FBI, that’s because the victim company or one of its vendors alerted the media.
Even if you’re not currently dealing with a breach, the FBI likes to hear from you. “It gives us a chance to network and establish relationships,” Agent Neubauer says. “That way in the future, you’re not having to cold call and work through to the cyber squad. When minutes matter, that’s critical.”
The process starts when you file a report with the Internet Crime Complaint Center (IC3) at this site . Reporting your breach can activate the FBI’s recovery of assets team, which could dramatically reduce your financial loss. A detailed IC3 complaint about a fraudulent bank transfer, for example, includes details like the sending bank, receiving bank, account numbers, amounts involved, etc. Thanks to extensive relationships with financial institutions, the FBI can instigate a financial fraud kill chain that freezes accounts and may get your money back.
Agent Neubauer says a special agent may show up to gather information, including logs, and put it into their systems. Your situation may require a full incident response from a team of agents and other professionals (the Cyber Action Team) that can be on-site anywhere in 24 hours. “We’d be looking for how the actors got in, what they took, what they’re using to communicate,” Agent Neubauer says. “It’s all the same stuff traditional IR would do, but it’s focused on a criminal prosecution and not how to fix your stuff.”
If you need help preparing your incident response plan, including how you’ll work with law enforcement, contact Pratum today.
Get our blog articles delivered
to your inbox: