Posted 1 year, 5 months ago
Of all the ways a hacker can gain access to your confidential business information, Business Email Compromise, or BEC, is one of the least well understood in the business community. There are many reasons for this, among them a lack of understanding of the role social engineering plays and the myriad ways a hacker can ‘obtain’ a legitimate company email address to use to launch their attack.
Today, we’re going to give you a quick rundown of the type of BEC you need to be aware of. Then we’ll be talking about what it is that makes these attacks so difficult to defend against, and how an automated email encryption solution is your best bet for building a full defensive wall around your proprietary business data.
BEC attacks are defined by the FBI (which notes that BEC is on the rise as a result of the COVID-19 crisis) as a computer crime around legitimate fund transfers, where the criminal impersonates a company employee, like a CEO, an executive-level employee, a supplier or a customer of a company that conducts business electronically. The key is that the business has to regularly send money by wire to accounts abroad, as the goal of the attack is to have compromised business wire money into an account owned by the criminal.
All BEC attacks have similar starting points. The fraudster will have either found a publicly listed email address for a company executive that they spoof, or they will have used social engineering to gain that same information. The latter can be as easy as calling the main office and posing as a potential client or business contact and feigning loss of a recent contact’s information, and it can go as far as requesting new account passwords from the IT helpdesk. Since executives often travel extensively and attend business functions that the admin staff may not know about, this can be easier than you’d think. Another means by which the hacker can obtain this initial information is by installing a keylogger via malware or phishing attack.
Once they know an email address, they are easily able to fake it. If they were more sophisticated and successful in obtaining the credentials to the account, they could simply use it themselves. The hacker will then begin contacting people within the company who have can initiate wire transfers. These requests and authorizations will seem reasonable on the surface, as executives have many reasons to request transfers to buyers, suppliers, or other contacts, so being asked to send money to a new account (owned by the fraudster, of course) won’t seem out of the ordinary.
Once they have access and are able to send email “as” the hacked individual, there are five primary schemes used by BEC attackers (as defined by the FBI):
You can see from this list that there are definitely themes to BEC attacks, along with common tropes. The attackers are usually located in a country other than where the company under attack is based. They will often employ common spoofing methods or phishing tactics that can be purchased on the dark web rather than using unique code or engineered attacks. You’ll also see the large role played by social engineering, from obtaining the email address to contacting an organization’s IT or finance department, to asking for password resets or for account information to be changed.
As we’ve mentioned, the primary reason these attacks are hard to plan for and defend against is the heavy dose of social engineering involved. Social engineering refers to any time a hacker uses in-person tactics rather than their computer skills to obtain information or otherwise compromise a company’s interests. Social engineering can range from piggy-backing, which is when someone enters a building without using a passcard or code by following someone else closely, all the way to making phone calls and posing as service providers, clients, or executive’s family members in order to request personal data.
The only effective way to defend against social engineering is employee training and solidly enforced procedures. Telling employees not to let someone piggy-back is a start, but unless you have security at every entrance enforcing that rule, someone will find a way to slip in. Having new hires sign an information security pledge, or contract, on their first day is a popular option these days. These documents lay out what steps each employee is expected to take to keep their data and equipment secure, along with the penalties for not adhering to the rules. Again, the problem lies in enforcement. If you’re not following them home every day, it’s hard to ensure someone doesn’t leave their company laptop lying around.
The digital aspects of a BEC attack can include email address spoofing, keyloggers, malware, and even phishing scams. These are mostly employed in the beginning stages of the attack when the hacker is still trying to gain entry to the company. They may send a malware-laden email to a general inbox in the hopes that an admin somewhere won’t know any better and will open it, unleashing a keylogger or other intrusion that can collect information and send it back to the hacker.
Email spoofing is when the hacker sends emails from their own server that appear, to the recipient, to come from someone else entirely. An email might appear to be from CEO@ABCompany.com, but in reality, it’s coming from a scam server farm somewhere else in the world.
Once the hacker is set up, either via a legitimate email account they’ve hacked or via a spoofed address, they set about the main part of the attack—getting someone to wire money directly to their overseas account.
With all that talk about social engineering, you might be left wondering if there is anything digital you can do to help protect your company from BEC attacks. And the short answer is—YES, of course there is. Many companies use anti-phishing tools that attempt to filter out e-mails that aren't ‘kosher’. These tools work with blacklists and algorithms, that very often lead to a high number of false-positives. It has gone mostly unnoticed that an automated end-to-end email encryption scheme can help keep your company’s confidential data just that, confidential, and safely eliminate BEC with all company accounts in one simple step. Plus, it doesn’t need to interfere with already existing anti-phishing tools.
p≡p verifies trusted senders at the individual level, leaving no question for the receiver as to the validity of messages in their inbox, which are labeled with a colored indicator so the employee can see at a glance what the status of every message is (i.e. who it is really from and that the content is untampered with), all without false positives.
Any email coming from inside the organization will be fully encrypted and flagged as legitimate, so p≡p will let these messages through with a green light. As a spoofed address will come with an incorrect key and trust, p≡p will let users know with a bright red indicator that this e-mail is a CYBERATTACK.
This protection extends to stopping spamming and phishing scams as well. Spammers do not have the capacity to encrypt every e-mail and will always miss the necessary encryption keys; as such, encrypted spam will not be possible. Conversely, p≡p allows you to automatically trust all your colleagues in the same company, plus any suppliers or customers, via a one-time comparison of 5 trust words. Thus, your employees will know immediately which emails to stay clear of and which are OK to proceed with by checking the colored (red/yellow/green) status indicator on messages in their inbox.
Another step p≡p takes to protect your organization from BEC attacks is to encrypt not only the message body but the subject line and most header information as well. This eliminates the possibility of a third-party who intercepts your communications from being able to glean any useful information from them.
As an added advantage, p≡p is end-to-end protection, so encryption happens on the sender’s device while decryption takes place on the receiver’s device. This means there is never a time when the message is not fully encrypted and therefore accessible to a hacker on any of the hops it takes on its journey over the internet.
And as a last line of defense against this and other attacks, p≡p automates key management so your employees (and your administrators) never face this time-consuming and confusing task. With p≡p, an employee won’t even know that they have a key (or two), they will not need to worry about handling keys, nor will they have to know the difference between encryption and signatures. At no time are they faced with this information—p≡p just tells them if they can trust this message or not. Thus, without your users having to lift a finger, they’re able to be fully confident in the confidentiality, integrity, and authenticity of the messages they’re sending and receiving.
Staying vigilant and training employees in security best practices will always be a good idea. That said, we know you’re busy and your employees are too. Things get missed, they fall through the cracks, and intruders know this as well. Knowing the tone an executive generally uses in email communication, when people from the C-suite are traveling, and what suppliers are actually paid via money transfer are all steps that should be taken. But as we all know, it is human to make a mistake and no level of training will eliminate phishing. By fully automating the end-to-end protection of e-mails wherever possible, you give yourself the best, most reliable solution for protecting your company from phishing attacks like BEC or CEO fraud with its own e-mail accounts. At the end of the day, an automatic end-to-end email encryption solution will be there as a first, and last, line of defense against those who are looking to steal your money and your data.