This week, we continue our series on Business Email Compromise. Click here to read Part 1, which includes an overview and various statistics on this growing threat.
It takes time and effort to launch a successful Business Email Compromise (BEC) attack. In a typical attack, several messages are exchanged in an attempt to convince the target to authorize large payments to the attacker’s bank account. From start to finish, the steps involved in a BEC attack consist of identifying a target, grooming, exchanging information, and finally, transfer of funds.
Let’s go over these four steps in detail.
Step 1 – Identify the Target Victim
The first step in a BEC attack may be the most time-consuming. During this step, a criminal organization researches the victim to develop an accurate profile of the company. Through publicly available information, attackers look for the names and positions of company executives, especially those on the finance team. They scour social media, online articles, and anything else that will provide specific details about the company and its employees. Scammers who are able to infiltrate a company’s network with malware may spend weeks or months monitoring information on the company’s vendors, billing and payment systems, and employee vacation schedules. They have also been known to monitor the executive’s writing style in order to craft a convincing email using a spoofed email address or lookalike domain claiming to come from the CEO.
Step 2 – Grooming
Armed with the information obtained in Step 1, the scammer moves on to Step 2. During this step, the scammer uses spear-phishing, phone calls or other social engineering tactics to target employees with access to company finances. The grooming phase often takes several days of back and forth communication in order to build up trust. During this phase, the scammer may impersonate the CEO or another company executive and use his or her authority to pressure the employee to act quickly.
Step 3 – Exchange of Information
During step 3, the victim is convinced that he is conducting a legitimate business transaction, and is then provided with wire transfer instructions.
Step 4 – Payment
And finally, funds are transferred and deposited into a bank account controlled by the criminal organization.
What to Do if You Are a Victim
If you’ve suffered losses due to Business Email Compromise schemes, it is important to act quickly.
Contact your financial institution immediately.
Request your financial institution contact the institution that received the fraudulent funds.
Contact your local FBI office and report the incident.
This week, we begin a three-part series on the threats posed by Business Email Compromise (BEC) attacks. In Part 1, we’ll explain what BEC is and discuss various types of BEC scams. In Part 2, we’ll explain how cybercriminals launch a BEC attack, and in Part 3, we’ll discuss best practices for avoiding these types of threats.
Email is the preferred communication method for businesses around the world. It’s also the preferred attack vector for cybercriminals due to its ease of use and low cost, and since the beginning days of email, spam techniques have continued to evolve into a variety of sophisticated threats.
One particularly menacing threat that is continuing to grow in popularity is Business Email Compromise (BEC).
BEC attacks (also known as whaling, spear-phishing or CEO fraud) use various deception tactics to impersonate a trusted contact. They employ a combination of research and social engineering techniques to impersonate business executives, real-estate firms, title companies, law firms, and even the FBI in an attempt to elicit transfers of large sums of money or the exchange of personally identifiable information (PII), which can be used in future BEC attacks and other types of cybercrime. Victims of BEC attacks are often tricked into believing they are carrying out a routine transaction, such as filling an order with a supplier, transferring funds for an executive, or sending sensitive data to an HR representative.
With the exception of those with spoofed sender addresses, many BEC attacks are sent from valid email addresses using credentials obtained through phishing, brute force attacks, or data obtained in a database breach like the one that hit Yahoo in 2013.
BEC attacks often contain no malware, malicious links, or suspicious code. As a result, in many cases they are able to bypass traditional security measures, which makes them especially dangerous.
Watch Out for These Common Scams
Some of the most common examples of Business Email Compromise include:
Real Estate Transactions: During a real estate transaction, criminals may impersonate sellers, realtors, title companies, or law firms to trick the home buyer into transferring funds into a fraudulent account.
Data and W-2 Theft: Criminals use a spoofed or compromised executive email account to send fraudulent requests for W-2 information or other personally identifiable information to HR staff or others within the business who maintain confidential employee records.
Supply Chain: Criminals send fraudulent wire transfer requests to redirect funds during a pending business deal, transaction, or invoice payment to an account controlled by organized crime groups.
Law Firms: Criminals discover information about pending litigation or trusts and impersonate a law firm’s client to change the recipient bank information to a fraudulent account.
Over 41,000 Victims and Growing
The statistics are staggering. In July, 2018, the FBI released a public service announcement indicating that victims lost over $12.5 billion to BEC attacks between October 2013 and May 2018. In the United States, BEC attacks claimed over 41,000 victims during this five year period at a total loss of over $2.9 billion. In 2017 alone, the Internet Crime Complaint Center (IC3) received over 15,000 reports of BEC attacks with estimated losses of over $675 million.
Based on victim complaint data, BEC scams targeting the real estate industry are on the rise. From 2015 to 2017, there was over an 1100% rise in the number of victims of real estate BEC scams and an almost 2200% rise in financial losses. May 2018 had the highest number of real estate victims since 2015, and September 2017 reported the highest victim loss.
Recent High-Profile Incidents of BEC Scams
In 2013, Google and Facebook lost over $100 million in a scheme that impersonated a large Asian manufacturer.
In August, 2017, MacEwan University lost almost $12 million to a spear-phishing campaign that impersonated a construction and contracting company.
In June, 2017, a New York judge lost over $1M in Real Estate Scam that began as an email claiming to come from her real-estate lawyer.
Despite efforts to raise awareness of these scams, a recent Gartner Research report indicated that BEC attacks will continue to be persistent and evasive, leading to large financial fraud losses for businesses and data breaches for healthcare and government organizations.
Why are Business Email Compromise threats so dangerous?
Business Email Compromise attacks are designed to bypass standard security mechanisms such as spam filters and anti-virus software, and are dangerous for a variety of reasons.
They contain no malware. BEC attacks normally don’t contain malware. Instead, they use crafty social engineering to trick users into thinking they are legitimate.
They are able to bypass many spam filters. BEC scams are often well-crafted with no spelling or grammatical errors. As a result, they are often able to bypass many spam filters.
They are highly personalized. Scammers take their time researching the victim long before an attack is launched. They scour public websites, social media, and even the dark web to find specific information, including names and background information of company executives. Armed with this information and with knowledge of an executive’s writing style, their emails appear authentic.
What is being done to stop BEC attacks?
Recently, multiple countries launched a coordinated effort to dismantle international BEC schemes. This effort, known as Operation WireWire and involving the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Service, resulted in 74 arrests across multiple countries. Unfortunately, these attacks will continue as long as human nature can be exploited for personal gain. In fact, a recent report by Get Safe Online indicated that over a third (37%) of employees don’t know what to look for to identify common email scams. The report also stated that one in 20 email fraud victims were so ashamed that they hid their mistakes from their colleagues.
Businesses of all sizes must remain vigilant against these threats. As the old saying goes, knowledge is power, and knowing how BEC attacks are launched and how to identify and avoid them is key. We’ll discuss these topics in parts 2 and 3 of this series, so stay tuned!
It’s that time again. Our friends at MailStore have released their latest & greatest version of the MailStore archive server – version 11.2, with support for Microsoft Exchange Server 2019, plus continued support for all other email platforms, including MDaemon.
“But do I really NEED an archiving solution?”
In short, YES! With most businesses relying on email to send sensitive information to customers, partners, and suppliers, you need a backup solution for a variety of reasons, including protection against ransomware, accidental deletion, disaster recovery, e-discovery, and compliance to regulations such as HIPAA and GDPR.
While it may be tempting to hold off on upgrading to a new release, keep in mind that the threat landscape is constantly evolving, and security is more important than ever before. Upgrading to the latest version will help you stay protected against the latest threats.
Before the invention of email, mail that arrived in your physical mailbox often contained pamphlets, sales brochures, credit card offers, and product catalogs. Much of this waste was thrown away and ended up in a landfill somewhere. Today, the equivalent and often more annoying nuisance is spam. Spam comes in many forms, and has evolved from dubious product claims, miracle supplements, conspiracy theories, and offers of easy money to more malicious threats such as ransomware attacks and targeted spear-phishing.
While the amount of spam as a percentage of total email traffic has gone down recently, the severity of email-borne threats has increased.
So how can users protect themselves from becoming the next victim to these malicious threats? There are numerous spam fighting tools in MDaemon and other mail servers, but server-side tools are only half of the spam-fighting equation. The other half is user education. With this in mind, here are 10 things users can do to reduce the amount of spam they receive.
Unsubscribe – How often have you been asked by a store clerk for your email address or placed an order online? In either of these situations, chances are you may have ended up on a company’s mailing list. When you receive email from these companies, take the time to open the message and click on the Unsubscribe link. But first, make sure the email is in fact coming from a reputable company (Here’s how). If you’re not completely sure where the email came from, then report the message as spam instead of unsubscribing.
Create a secondary email account – While we’re on the topic of retailers having your email address, you might also consider having a second email address that’s used solely for the purpose of store records or placing orders. This allows you to keep solicitations from these vendors out of your primary inbox.
Keep your email address private – If your email address is visible on social networking sites like Facebook or Twitter, then it’s also visible to spammers. Spammers have tools that can easily detect visible email addresses and add them to their mailing lists. This is why it’s often recommended that, if you MUST use your email address on one of these sites, you mask it by changing its format. For example, type out “at” instead of using the “@” symbol. With the prevalence of Business Email Compromise (BEC) attacks, it’s even more important for executives to be mindful of posting their email address or other personal information, as scammers will use this information to send out well-crafted spear-phishing emails.
Don’t reply to ANY spam or unsolicited marketing messages – Most spam messages use forged sender (return-path) addresses, so replying to a spam message will almost never result in the spammer getting your message. Replying to legitimate marketing messages tells the sender that your email address is valid, and thus, they may continue to send you spam.
Never click on links – Often, when you click on a link in a spam email, it specifically identifies you to the spammer as having received the message. Not only can clicking links in spam messages identify you to the spammer; you can also end up getting infected with malware.
Block Images – Even if you don’t click any links, an image opening in your email can alert spammers to a valid address. Spammers often try to be stealthy by inserting images that are only one pixel wide. If your mail client is configured to automatically open images, spammers can be alerted that your email address is valid. We recommend configuring your email client to automatically block images to reduce spam. You can always choose to view images in specific emails if you are sure the sender and content are legitimate.
Make your email address unique – Spammers often use common names to try to guess email addresses. If your email address is unique, it makes it harder for spammers to guess your email address.
Don’t fall for scams – If you receive an anonymous email from someone who appears to be in dire need, who promises you large sums of money for your small up-front investment, you may be witnessing the familiar Nigerian email scam, or one of many other variants. What are the odds that someone you’ve never met, who’s in a desperate situation, would contact you for help? Don’t fall for this scam.
Never forward email from someone you don’t know – I often see email messages with some type of public service announcement, petition, or other bit of advice, and often, there’s a request to forward the message to your friends. Don’t fall for this, as it’s a prime opportunity for spammers to harvest email addresses.
Blocking junk email is not just the job of the mail server administrator. A well-informed email user can mean the difference between spam that is manageable and spam that is out of control. These ten tips will help you reduce spam, and help prevent you from becoming a victim to phishing or malware.
As hurricane Florence threatens the east coast with high winds, heavy rainfall and flooding, businesses could potentially lose access to critical communication services. When Hurricane Harvey hit Texas and Louisiana last year, we offered free temporary assistance for those without email services. For those affected by Florence, we are again here to help. We’re offering affected businesses free temporary email hosting using your existing domain or temporary email accounts on our hosted webmail platform.
Nature dictates that we human beings are prone to make mistakes from time to time. For example, if you attached a picture from your toddler’s birthday party in an email to your customer when you meant to attach your customer’s invoice, if you noticed an embarrassing typo after a message was sent, or if you got a little overzealous with your personal information that, after giving it a second thought, might be damaging to your career. Most of us have found ourselves in one or more of these situations at one time or another. That’s why it’s important that your email solution have a Message Recall feature. Message Recall gives you a “second chance” to correct an error or avoid a situation that could be embarrassing or damaging to your career.
MDaemon users have three ways to recall a message.
Using the Recall button in MDaemon Webmail.
Attaching a copy of the sent message to an email addressed to the MDaemon System account with RECALL as the message subject.
Sending a message to the MDaemon System account with RECALL plus the Message-ID as the message subject.
This quick video shows all three methods for recalling an email message in MDaemon Webmail
Let’s face it. We all make mistakes. At one time or another, most of us have gotten a little hasty with the Send button when composing an email, and sent it to the wrong Frank Thomas, accidentally CC’d the customer in an inter-office communication, or realized the email was probably not such a good idea in the first place. These examples can be quite embarrassing, but other mistakes can result in legal trouble for you or your company. For example, healthcare providers can violate HIPAA regulations by sending an email containing protected health information (PHI) to the wrong person. Penalties for these HIPAA violations can be steep, ranging from $50,000 to $1.5 million.
To avoid these situations, your email solution should have a feature that lets you delay delivery of a message. With MDaemon Webmail, message scheduling options are just a mouse click away.
“This is all great, but why would I want to delay delivery of an important email message?”
There are many reasons why one might want to defer delivery of an email message.
Delaying message delivery for an hour or even a few minutes gives you time to take a break from it and review it with a refreshed perspective – providing another opportunity to catch errors you might have missed before.
Some email conversations go back and forth too quickly, so you might respond before you have all the information or ask questions that are already answered in the next message. Deferred delivery allows you to slow the process down so you’re not having to play email tag.
Deferred delivery can help prevent you from sending an angry email response during heated discussions. Allowing yourself a little extra time to re-think your message or to cancel the message altogether can help prevent a great deal of workplace conflict.
For companies that operate globally, deferred delivery allows users to schedule messages for delivery during peak business hours in the recipient’s country, increasing the likelihood that it will be seen.
We demonstrate how to defer delivery of an email message in MDaemon Webmail in this week’s tutorial video.
While it’s true that hard drives are continuing to grow exponentially in storage capacity, many mail server administrators are still finding the need for greater control over disk space usage. An easy way to automate the process of limiting disk space used per-user while still retaining business-related data transmitted via email is to set message and disk space quotas while implement an archiving solution such as MailStore.
By default, MDaemon Remote Administration is accessed via port 1000 at your server’s host name, so if your host name is mail.example.com, then you’d enter http://mail.example.com:1000 to access Remote Administration. You can also use a secure URL – for example: https://mail.example.com. The URL you would use depends on the settings you have configured in MDaemon under Setup | Web & IM Services | Remote Administration | Web Server (and SSL & HTTPS).
I hope you find these tutorials useful. If you have questions or comments, please click on Leave a Comment (up there under the title of this post) and let us know!
Most of our customers are small-to-medium businesses with limited IT budgets across a variety of industries – including healthcare, education, manufacturing, and government. Having a limited IT budget often means having limited staff available for troubleshooting email or tracking down messages, so when considering which email gateway/spam filter you want for your business, one of the main criteria to consider is how easy it is to find messages for your users. Users who are expecting business-critical messages need to know ASAP what happened if that message is not delivered. With SecurityGateway, it’s easy to find out if a message was rejected, quarantined or delivered. If it was rejected or quarantined, color-coded transcripts make it easy to determine exactly why the message was not delivered.
At-a-Glance: The Message Log Window
Let’s have a look at the message log and its layout.
Use the buttons across the top to:
Refresh the message list
Search for messages. Advanced search options are provided, allowing you to find messages based on a variety of criteria, such as message contents, delivery date, the result of the message delivery attempt, keywords in a message header, and others.
View message details (providing the same information as double-clicking the message)
Redeliver the message. Note that if the issue that made a message undeliverable still exists then the message will return to the message log with the same status.
Whitelist the sender or sender’s domain
Blacklist the sender or sender’s domain
Press the blue buttons to enable or disable specific columns.
The right-facing blue arrows indicate outbound messages, and the left-facing green arrows indicate inbound messages.
The remaining columns from left-to-right include:
Date (notice the arrow indicating sort order)
The message sender (From)
The message recipient
The message subject
The result of the message delivery attempt (Delivered, Quarantined, Rejected, etc.)
The reason the message was quarantined or rejected (for those that meet these criteria)
The message size
The final message score based on the total score accumulated by all security tests performed
Viewing message transcripts to determine a message’s fate
Now that we’re familiar with the layout of the message listing, let’s review how to troubleshoot email delivery issues.
Key events in a message’s transcript are color-coded for easy identification. In the following example, the message was scanned by SpamAssassin. During this process, it accumulated 1.7 points. It was then scanned by Outbreak Protection, during which it accumulated an additional 5.5 points. Finally, the total message score was tallied with a final score of 12.2 points and was rejected.
We’ve created the following video to help you become more familiar with message tracking in SecurityGateway.
If you work in IT or manage a mail server, then you probably know that the vast majority of global email traffic consists of spam. However, if you’re an end user working for a small business in healthcare, manufacturing or education, the following statistic might surprise you:
In June 2018, spam made up a staggering 85.32% of all global email traffic.
A good spam filter & email gateway will filter out most of these malicious email messages circling the globe so that users and administrators can spend more time focusing on their business.
SecurityGateway for Email Servers was designed to make it easy for small-to-medium businesses to manage their inbound and outbound email security needs without taking up too much time that could be spent on more business-related tasks. It reduces the workload on administrators by providing automated user & domain creation and periodic quarantine report emails for end users. The focus on today’s “30-Second Email Tips” video is to demonstrate the quarantine report emails which allow users to manage their own quarantines so you can spend more time focusing on your business.
Many of SecurityGateway’s security settings (including heuristic and Bayesian analysis by the spam filter, DNS blacklists, SPF verification, DKIM verification, DMARC, and others) can be configured to perform one of three options for messages that fail a given security check:
Accept the message (and optionally place a tag in the message subject and add points to the message’s spam score)
Refuse the message
Quarantine the message
For messages that are placed in the quarantine, reports can be sent out to users so that they can decide what to do with these messages. Options provided are:
Release the message from quarantine
Always allow (whitelist) messages from the sender
Blacklist messages from the sender
We’ve created the following video to demonstrate these features.
SecurityGateway helps meet the needs of businesses that want an additional layer of security for their existing email server and businesses running Microsoft Exchange or another mail server that has cumbersome controls or a confusing interface – helping simplify the process of scanning inbound and outbound email for malicious content. Click here to learn more about SecurityGateway, or click here to download your free trial!