Article by: Oliver Neal, Incident Response Specialist, Pragma.
With a recent, slow decline in ransomware based cyber-attacks, Business Email Compromises have been on the rise across the globe. Like most attacks, Business Email Compromises are non-discriminatory. The victims are not selected by an attacker before they proceed to compromise an organisation’s email systems.
A recent advertisement released by the UK government reminds the nation of cyber awareness and instils everyone to be vigilant and active in the defence against the growing threat of cyber-crime. Small businesses and large organisations are at the same level of risk across the board. As presented in the advertisement, it is important everyone gains awareness on how to stay safe from cybercrime.
What is a Business Email Compromise?
When an unknown Threat Actor (TA) or a group of cybercriminals successfully compromise the email tenant of an organisation, a Business Email Compromise (BEC) is known to take place. While a BEC can occur in complex manners such as exploiting vulnerabilities to gain access to mail servers or stealing devices that belong to employees to access their email accounts, most TA’s compromise mail accounts by phishing (stealing) an employee’s email credentials. This is possible by purchasing already available, stolen credentials from the Dark web who share passwords across accounts.
Most successful and targeted attacks steal credentials through the means of phishing emails where a TA will request a user to login to an online portal to secure their account or view a document. The links contained in these emails will direct unsuspecting victims to fake login pages from where the password will be sent straight to the TA. From the moment the TA has access to an email tenant it is up to them how they monetise their attack. Most commonly, we see email threads intercepted between clients to divert payments for invoices directly to a criminal’s bank account.
BEC Attack through Emails
Threat actors commonly send out large waves of phishing (fraudulent) emails using automated accounts. These phishing emails can appear in a variety of forms, such as a request to log into your business bank account or as payment against an invoice for a service you probably never availed of. Most commonly, these emails request a user to log in to their email account to make changes to an account or review document. The links embedded within these phishing emails take victims to genuine-looking email login portals, which are fake look-alike login pages to steal credentials.
When a threat actor has access to your credentials, they will use that sensitive information to monetise their attack in every possible way. This usually results in requesting payment for invoices into bank accounts owned by the threat actor by sending them to the finance manager of a business. Another means to make money from these credentials is to export all possible data from your mailbox and hold it for ransom, before releasing it to anyone for access.
How do you safeguard your business from BEC
The most sure-fire way for any size business to protect itself is to enforce a strong password policy alongside Multi-Factor Authentication (MFA). Unique passwords for each account used, alongside an 8 -10-digit password including a range of characters will prevent cross-account credential loss. More complex passwords are difficult to remember so password storage tools can come in handy. MFA will provide a last line of defence for most organisations as account holders will have a unique code located within an authenticator app that is required before login.
Remember it is important to never share credentials between any accounts. A business can be compromised if you shared credentials with your organisation’s email credentials as your password can very quickly make its way onto the dark web for sale. Credentials can be purchased on the dark web like any other commodity.
HIBP is a free and useful tool to check if any credentials shared through your email account have been posted on the dark web.
Here are five more ways to help defend your business against possible BECs:
- Start a conversation about Cyber Security within your business, even if you are solo. The first and most important step to getting a business protected is to acknowledge that cybersecurity is a matter of importance to protecting your organisation and customers from external threats. It ranks equally important as a key to your shop or a combination to a safe.
- While it is impossible to expect staff to detect all phishing attempts, all staff must be trained to detect phishing emails. Read the guidelines on how to set up alerts for phishing scams. Seek advice from IT companies.
- Keep all devices in your organisation up to date, including mobiles and work from home devices.
- Take time to review your email tenant’s security settings and optimise them for the work you perform. Office 365 has many ways to help organisations stay safe while recording activity within the email tenant.
- Use a password manager across the organisation to ensure that your unique passwords are kept in a safe place and not on sticky notes or notepads.
When you need further advice on this topic, please connect with Pragma to discuss potential options further.
Pragma is a CREST approved global provider of cybersecurity solutions. We help organisations strengthen cyber resilience and safeguard valuable information assets with a pragmatic approach. Headquartered in Asia and Europe, and with regional offices around the world, we provide Cyber and Regulatory Consultancy, Incident Response, Cloud Security and Security Testing services.