Pratum Blog

Image of man typing on laptop

Ransomware has dominated the year’s headlines, but Americans suffer far more damage from business email compromise than any other attack, according to the FBI. The feds reported earlier this year that business email compromise cost more than $1.8 billion in 2020. Throw in business email compromise’s cousin of phishing, and you can tally another $54 million in damages. The boom in business email compromise (BEC) attacks means you should make it a top priority to train your team to spot this scam.

BEC attacks use sophisticated techniques that can trick all but the most attentive email users. Attackers typically impersonate a legitimate contact asking for a transfer of funds. But when victims send the money, it lands in a bank account controlled by the bad guys. The hackers quickly convert the money to crypto currency or shift it into other untraceable channels. It may be days before you even know you sent the money to an imposter.

Hackers typically send an email that seems to be coming from either a co-worker or a legitimate vendor. And, in fact, the bogus message may be coming from a legitimate account that hackers have overtaken. The hacker may even be talking about a legitimate payment you’re expecting to make. The only difference is the account they have you send it to.

The examples below show how BEC attacks work and red flags you can watch for to ensure you don’t fall prey to this ruse.

Stages of Business Email Compromise

Stages of Business Email Compromise Step One: ID Target, Step Two: Grooming Target Stages of Business Email Compromise Step Three: Transfer of Information, Step Four: Wire Transfer

Source: FBI

How to Spot Business Email Compromise

Original message used to steal user credentials:
Original email message used to steal user credentials including red flags of BEC: Spoofed email address and a malicious link
Spoofed messages used to cause fraudulent payment:
Spoofed email message used to cause fraudulent payment including red flags of BEC: Real data used to fool you Spoofed email message used to cause fraudulent payment including red flags of BEC: Timing, suspicious attachments, sudden change in normal procedure and/or urgency, and unusual name usage

Red Flags of
Business Email Compromise

1. Spoofed address – Look carefully at the actual domain name, not just the sender’s display name. This spoofed domain has an extra character in the company name.

2. Malicious link – This link actually leads to a credential harvesting site. Hover your mouse pointer over the link before clicking it to confirm that it's going to the expected address.

3. Real data used to fool you – Because hackers may be monitoring your email, they may jump into a legitimate thread. In this case, the first message in the sequence came from a real vendor talking about a real invoice. The hackers have inserted themselves and took over the discussion, cutting the real vendor out of the thread.

4. Timing – This is a fake email from the scammer, who sent the request late in the week, hoping to catch an employee rushing to complete tasks before leaving.

5. Suspicious attachments – If you’re not expecting an attachment, don’t open it. Call the sender to confirm it’s a legitimate file.

6. Sudden change in normal procedure and/or urgency – Be extremely wary of changes in deadlines, bank accounts, etc. Call your contact to confirm what’s happening.

7. Unusual name usage – Hackers posing as legitimate contacts often fumble the details of names, so pay attention to any discrepancies, such as someone who normally goes by “Michael” signing a message as “Mike.”

For help with training your team to spot BEC or creating a simulated phishing test for your organization, contact Pratum today.

Image of Pratum's vCISO Jeff Hudgens with overlaid quote

If you could put a CISO on your team for one week, where would they set your cybersecurity priorities? Pratum’s Jeff Hudgens gave his answer on a recent cybersecurity panel hosted by Iowa’s Secretary of State. Jeff, an experienced cybersecurity pro now serving clients as a Pratum vCISO, framed the advice he gives clients into two categories:

  • 4 first steps for setting your information security strategy
  • 5 areas to guide your cybersecurity priorities

4 First Steps in Cybersecurity Strategy

If Jeff were starting his own company today, he’d start setting cybersecurity priorities with these four fundamental steps:

1. Develop A Committed Mindset

Too often, Jeff sees organizations fumble the follow-through on their public statements about cybersecurity. Social engineering training provides a common example. “Leadership sets the tone,” Jeff says. “The C-suite can’t be exempt from testing or skip the training.”

Leaders also must commit to taking security frameworks seriously, which means choosing the framework that actually fits your business. “Controls are there because they’re right for your business, not just because they’re something you do to simply check a box. Make sure the controls you select are reasonable for what you do.”

2. Understand ALL of Your Assets

“Most people focus conversations around data, which is a key piece. But think about the systems the data is on.” Jeff frequently hears clients talking about protecting their data, but they balk at spending money to update the 8-year-old servers the data sits on. “You’re kind of stuck on what you can do with that,” Jeff says, “and you’ll introduce vulnerabilities around that.”

Staff time represents another asset to manage carefully. Jeff points to the example of a CIO who is personally making changes in Active Directory, which means the CIO ISN’T thinking about strategic direction. It makes business sense to invest in some entry-level help to free up leaders to lead the organization.

3. Let Your Actual Risks Drive Your Investments

“You have a limited budget for IT and security,” Jeff says. “If you’re not doing risk assessments and keeping a risk register, then you’re not using facts to drive your program and where you put your effort.” Make sure your program for identifying and ranking risks is driving your decisions.

4. Focus on Progress, Not Perfection

Set manageable goals. “I see a lot of organizations try to pack five years worth of work into a year and a half, and that just stresses the team,” Jeff says. He recommends turning a large portfolio of risks into ranked priorities that you can tackle and cross off the list. “Let’s just move the ball down the field rather than trying to score a touchdown.”

Best Practices for
Information Security Risk Assessments

How to Get the Most From An Information Security Risk Assessment Paper
This free 16-page guide provides everything you need to know about this essential review from planning to execution to follow-up.
Get it Now

How to Set Cybersecurity Priorities

With the right first steps, you can turn to five areas that Jeff recommends as a focus for your limited resources.

1. Assess and Measure Risks

Start with a comprehensive information security risk assessment, which forms the cornerstone for your entire security program. During a risk assessment, an experienced consultant takes a deep dive into every corner of your information security approach, including written policies, software updates, employee habits and more.

Along with that risk assessment (which many companies conduct annually in order to keep up with changes in the organization), be sure to include ongoing vulnerability scanning and recurring pen tests in your plan. “Many people don’t put vuln scans and pen tests in the budget,” Jeff says. “But they provide some of the best returns on investment.” Vuln scanning provides automated recon that spots known vulnerabilities in your system. In a pen test, an ethical hacker acts like a threat actor and tests your defenses. Whether the test goes after your internal or external infrastructure, Jeff says you’ll get the most actionable information possible about your security posture.

He also recommends creating key metrics for measuring performance and potential risks over time, providing important benchmarks of your progress. (That kind of data is critical to securing ongoing budget for these tests.)

2. Develop High-Quality Policies and Plans

Many organizations lack written information security policies. And many policies are written in ways that are unenforceable. Jeff advises dedicating real thought to these key documents. “Think carefully about your policies. Make sure you cover what you want to cover. Make sure they’re actionable, but keep them reasonable and don’t let them get draconian.”

Jeff puts an especially heavy emphasis on developing a thorough incident response plan. “If I were focusing on one key piece, it would be an incident response plan.” A recent IBM study showed that companies that keep a written incident response plan and test it regularly reduced the cost of a data breach by an average of 55%.

3. Implement End-User Awareness and Training

Improving every employee’s security awareness clearly pays off, considering that about 80% of all data breaches involve some kind of social engineering. Training and simulated phishing campaigns work—if they’re well-planned, well-executed and given time to work. Jeff emphasizes that organizational leaders should stop thinking of end users as the weak link in security programs and start enlisting them as frontline defenders.

4. Invest in Alerting and Monitoring

“If you can’t see it happening in your system, you can’t fix it,” Jeff says. That’s why he considers a monitoring solution such as SIEM essential—and a next-gen protection platform such as managed XDR even better. IBM’s study showed that organizations that had security AI and automation in place spend 80% less handling a breach.

5. Set Up Third-Party Vendor Management

Supply chain attacks have been growing exponentially for months. In attacks like the famous Kaseya breach of 2021, hackers slip malware into a supplier’s system, then let it quickly cascade out to all of their partners. And Jeff notes that small businesses shouldn’t count on their obscurity to protect them. Hackers often use small companies as their entry point into the larger companies that they serve through the supply chain.

To learn how Jeff or another Pratum vCISO can help set up your specific cybersecurity strategy, visit our vCISO service page.

United States FBI Seal overlaid on image of man on computer

“Should we call the cops?” It’s one of the first questions inside the war room of most organizations facing a data breach. And by “cops,” most of us are thinking “FBI.” But will the FBI actually care about your case? Can they help before you even understand what happened? Who would you even call if you wanted to?

FBI Special Agent Dean Neubauer, part of the Omaha, Nebraska, Field Office’s cyber squad, recently joined Pratum on a panel hosted by Iowa’s Secretary of State. Agent Neubauer’s team includes analysts, computer scientists and CART personnel (the Computer Analysis Response Team that handles digital forensics). His insights reveal what you need to know about working with the FBI on a breach—including steps you can take right now before a breach hits you.

What the FBI Is Watching: Business E-mail Compromise

“Outside of very large ransoms, we see the most damage from business e-mail compromise (BEC), on the order of about $2 billion in business loss per year,” Agent Neubauer says. “A week and a half ago, we dealt with an Iowa company that was a victim of a compromise that cost them $2.3 million.”

BEC scams typically involve a message that seems to come from a co-worker or trusted vendor but includes a bogus link. For example, Pratum recently worked a case in which an accounts payable employee unwittingly sent a $400,000 payment to a malicious actor’s bank account. The hacker inserted themselves into an e-mail thread about a real invoice, then fooled the employee into using a new account number.

In the case Agent Neubauer recently worked, a hacker took control of the company CFO’s e-mail address and tricked employees into transferring funds. The typical cause of these breaches is someone using the same password in multiple places, which makes it far easier for hackers to steal credentials.

The FBI’s Cybersecurity Tips

Clearly, your best strategy is to never need the FBI’s assistance. To secure your system, Agent Neubauer emphasizes several cybersecurity basics.

  • Properly log events and store the records – A system monitoring solution such as SIEM or XDR maintains logs that provide the FBI’s starting point for an investigation. But agents find many organizations using basic systems that retain logs for no more than 48 hours. That’s rarely much help, considering that hackers typically lurk in the system for weeks or months before you detect them. Two days’ of logs gives investigators almost nothing to go on. Pratum’s policy for its SIEM/XDR clients is to retain logs for a full year.
  • Implement Multifactor Authentication – MFA makes you more secure, period. “Ninety-five percent of the business e-mail compromise victims I have contact with don’t have MFA enabled at the time,” Agent Neubauer says. In one recent case, he says, the victim exempted part of its system from using MFA. Guess where the threat actors got in?
  • Patch your systems – This is another classic best practice, but countless organizations let it slide, leaving known vulnerabilities wide open to exploitation.
    Agent Neubauer puts special emphasis on updating VPN devices, which are a favorite target for hackers. In one recent week, Agent Neubauer’s office saw five different Iowa companies exploited via the same SonicWall VPN. The hackers found the vulnerabilities via scanning tools, then sent in human hackers to start pivoting and escalating through the network.
  • Test your backups – It’s not enough simply to have data backups. You also need proof that you can rapidly and reliably restore data from the backups. That means testing them.
  • Beware of professional social media scams – The FBI has seen a spike in hackers phishing employees through LinkedIn or other professional social media platforms rather than through their company e-mail account. Scammers send the victim a link to an attractive job listing or a document that appears valuable. The link often leads to what looks like an Office 365 login page. In reality, it’s a credential harvester that hackers use to steal login information. But again, if you have MFA in place, they won’t be able to get in, even with your credentials.

When to Contact the FBI

Notify the FBI as soon as you suspect an attack. For example, your team may spot a phishing e-mail before anyone in your office falls for it. Telling the FBI about it lets them add the spoofed domain to the files accessed by offices nationwide.

Some organizations hesitate to call the FBI because they fear word will get out about their breach. But Agent Neubauer says the FBI won’t leak the information. “We won’t go to the media, with the exception of issuing a press release following an arrest,” he says. If you hear that a victim company is working with the FBI, that’s because the victim company or one of its vendors alerted the media.

Even if you’re not currently dealing with a breach, the FBI likes to hear from you. “It gives us a chance to network and establish relationships,” Agent Neubauer says. “That way in the future, you’re not having to cold call and work through to the cyber squad. When minutes matter, that’s critical.”

How to File a Report

The process starts when you file a report with the Internet Crime Complaint Center (IC3) at this site . Reporting your breach can activate the FBI’s recovery of assets team, which could dramatically reduce your financial loss. A detailed IC3 complaint about a fraudulent bank transfer, for example, includes details like the sending bank, receiving bank, account numbers, amounts involved, etc. Thanks to extensive relationships with financial institutions, the FBI can instigate a financial fraud kill chain that freezes accounts and may get your money back.

How the FBI Responds

Agent Neubauer says a special agent may show up to gather information, including logs, and put it into their systems. Your situation may require a full incident response from a team of agents and other professionals (the Cyber Action Team) that can be on-site anywhere in 24 hours. “We’d be looking for how the actors got in, what they took, what they’re using to communicate,” Agent Neubauer says. “It’s all the same stuff traditional IR would do, but it’s focused on a criminal prosecution and not how to fix your stuff.”

If you need help preparing your incident response plan, including how you’ll work with law enforcement, contact Pratum today.

How You Can Stop Ransomware Poster

Ransomware Poster

Stopping ransomware starts at the front line of every employee’s computer. This poster will help you and your employees keep your organization safe.

Get Poster
The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.