Recent Business Email Compromise (BEC) Scams are Reminder to Educate Users

Online scams are nothing new. But as email has evolved and improved, so have scammers and the messages they send. Nefarious emails, attachments and links now appear sophisticated and look legitimate, sometimes tricking even the most meticulous user.

Billions Lost to Business Email Compromise

Over the last three years, organizations all over the world have lost a collective $26B to a very specific type of email scam – Business Email Compromise, or BEC. Recently, a BEC scheme in Spain was brought down, but not before taking over €10M. A scammer in Canada impersonated a contractor and fooled city employees out of over $1M. And the FBI is investigating a network of over 80 people across multiple countries in an attempt to use a BEC plot to steal $46M.

Why do BEC Scams Work so Well?

Top 10 Business Email Compromise Protection Tips
Top 10 Business Email Compromise Protection Tips

BEC emails are advanced phishing scams, and they’re on the rise. But what makes a BEC attack so dangerous, and so effective?

BEC Scams are Highly Targeted

Scammers aren’t blasting thousands of the same email. They’ve done the research, monitoring the company’s website and social pages. They find the appropriate target, and groom them by sending multiple conversational emails, establishing trust.

They Contain No Malware

Unlike the old style of phishing, where users are told to click on a link, BEC emails have no spammy links. This means they can sometimes evade spam filters, and the end user doesn’t see any red flags.

They Exploit Human Nature

BEC emails imitate an actual person, complete with real-looking email addresses, formatting, company names, and titles. The victim has unknowingly been emailing back and forth with the scammer and trusts that they are who they claim to be. So when asked to send bank information, for example, the victim assumes the request is authentic and complies.

They are Often Under-reported

Victims often don’t realize they made a mistake until much later. And even upon realization, many companies don’t report the incident for fear of damaging their reputation with their customers. Not reporting such incidents allows perpetrators to simply move on to their next victim.

Learn How to Stay Protected Against these Email Scams

Preventing losses to Business Email Compromise is the responsibility of both the end user and the IT administrator. To stay protected, follow these tips:

End Users:
  • Double-check the sender email address & recognize spoofing and other impersonation tactics. MDaemon Webmail displays the full email header to help users identify spoofed emails.

    MDaemon Webmail Full Email Header Display
    MDaemon Webmail Full Email Header Display
  • Don’t overshare on social media
  • Don’t open email from unknown sources
  • Verify all wire transfer requests via phone or face-to-face
  • Know customers’ & vendors’ business practices
  • Run antivirus software often
  • Use two-factor authentication
  • Forward, don’t reply. Ensures you manually enter the appropriate email address.
Administrators:
  • Enable reverse lookups to verify the legitimacy of the sender
  • Use the antivirus features in MDaemon and SecurityGateway to scan all inbound and outbound email traffic
  • Require users to use SMTP Authentication
  • Use SPF, DKIM & DMARC to secure your domain against spoofing
  • Require two-factor authentication
  • Require strong passwords
  • Provide regular end-user training
  • Run antivirus software often and make sure virus signatures are up-to-date

While traditional security measures such as network defenses and email gateways can be effective at blocking most varieties of spam, the bottom line is that the most critical part of stopping BEC attacks is user awareness and education.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Phishing Email Uses Google Drive to Get Past Microsoft Security

Phishing, email scams, tips to avoid spear-phishing

This week, Threatpost reported on a new spear-phishing attack that uses email sent via Google Drive claiming to be the CEO of the targeted company sharing important information with the recipients.  The email came from Google Drive, but the sender address didn’t match the company’s standard naming convention for email addresses.

Because the message was sent by a legitimate email service, it was able to bypass Microsoft Exchange Online Protection on its way to users’ inboxes.

You can read the full article here.

No Spam Filter or Email Gateway can Block 100% of All Spam

Spam Filters and Email Gateways have proven quite effective at blocking most of the junk email that gets sent by the thousands on a daily basis, but cyber criminals are always looking for new ways to bypass email security measures through social engineering, new strains of malware, and newly-discovered security flaws reported in  Microsoft Exchange Server and cloud email platforms. That’s why user training will continue to be a top priority for all businesses that use  email.

Tips to Avoid Phishing and Business Email Compromise (BEC) Attacks

In a prior post, I listed the following 10 tips to avoid falling victim to phishing emails.. Here’s a brief summary. You can read the entire post here.

10 Tips to Identify a Phishing Email

  1. Watch out for messages disguised as something expected, like a shipment or payment notification.
  2. Watch for messages asking for personal information such as account numbers, Social Security numbers, and other personal information. Legitimate companies will never ask for this over email.
  3. Beware of urgent or threatening messages claiming that your account has been suspended and prompting you to click on a link to unlock your account.
  4. Check for poor grammar or spelling errors.
  5. Hover before you click!
  6. Check the Greeting – Is the message addressed to a generic recipient, such as “Valued customer” or “Sir/Madam?” If so, be careful & think twice!
  7. Check the Email Signature – In addition to the greeting, phishing emails often leave out important information in the signature. Legitimate businesses will always have accurate contact details in their signature, so if a message’s signature looks incomplete or inaccurate, chances are it’s spam.
  8. Don’t download Attachments
  9. Don’t trust the From address –Know the difference between the “envelope From” and the “header From” addresses.
  10. Don’t Enable Macros –  Never trust an email that asks you to enable macros before downloading a Word document.

These 10 tips are explained in more detail in this post.

10 Tips to Protect Against Business Email Compromise (BEC) Email Attacks

Business Email Compromise goes beyond standard spam techniques by exploiting human nature and the trust established between employees and members of the executive team. Scammers use social engineering, CEO impersonation, and a variety of other techniques to trick users in accounting, finance, or other high-power positions into transferring money into the scammer’s accounts. These attacks are well-executed and targeted at specific individuals, and often take more time to plan and launch due to the amount of research that goes into these attacks. Cyber criminals use publicly available information on sites such as LinkedIn, Facebook and even the website of the targeted victim to gain insight into the company’s business practices. They will often study the writing styles of the executive team, allowing them to craft convincing emails that appear authentic to employees.

Because Business Email Compromise attacks are often so well-crafted, they are able to bypass standard security measures. These tips should help you identify a Business Email Compromise attempt if one should slip through your spam filter or email gateway.

  1. Train Users to recognize these Common Impersonation Tactics used by Cybercriminals
    • Domain Name Spoofing
    • Display Name Spoofing
    • Lookalike Domain Spoofing
    • Compromised Account
  2. Secure your Domain by registering similar domains.
  3. Don’t Over-share on Social Media
  4. Use SPF, DKIM & DMARC to protect your domain from spoofing.
  5. Use Two-Factor Authentication
  6. Use Strong Passwords
  7. Don’t trust unknown sources
  8. Establish strict processes for wire transfers
  9. Provide regular end-user training
  10. Run antivirus software often

You can learn more on how to avoid Business Email Compromise attacks here.

No business is too big or too small to fall victim to email-borne scams. In fact, cyber criminals often target smaller businesses based on the assumption that smaller companies are less likely to have the latest security systems in place. MDaemon Email Server and Security Gateway for Email Servers include a variety of features to protect businesses from spam, malware, and leaks of sensitive business data.

15% discount during August, 2019 for MDaemon Email Server and Security Gateway for Email Servers

Looking for a secure, affordable email and collaboration server or email security gateway for your business? This month, we’re offering a 15% discount off the price of MDaemon Email Server (new purchases), and Security Gateway for Email Servers (new, renewal, and upgrades).

Comments? Question? Let us know. We’re here to help!

 

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Four-Step Swindle: The Anatomy of a Business Email Compromise Attack

This week, we continue our series on Business Email Compromise. Click here to read Part 1, which includes an overview and various statistics on this growing threat.

It takes time and effort to launch a successful Business Email Compromise (BEC) attack. In a typical attack, several messages are exchanged in an attempt to convince the target to authorize large payments to the attacker’s bank account. From start to finish, the steps involved in a BEC attack consist of identifying a target, grooming, exchanging information, and finally, transfer of funds.

Let’s go over these four steps in detail.

Step 1 – Identify the Target Victim

Step 1 – Identify the Target Victim The first step in a BEC attack may be the most time-consuming. During this step, a criminal organization researches the victim to develop an accurate profile of the company. Through publicly available information, attackers look for the names and positions of company executives, especially those on the finance team. They scour social media, online articles, and anything else that will provide specific details about the company and its employees. Scammers who are able to infiltrate a company’s network with malware may spend weeks or months monitoring information on the company’s vendors, billing and payment systems, and employee vacation schedules. They have also been known to monitor the executive’s writing style in order to craft a convincing email using a spoofed email address or lookalike domain claiming to come from the CEO.

Step 2 – Grooming

Phishing - Business Email CompromiseArmed with the information obtained in Step 1, the scammer moves on to Step 2. During this step, the scammer uses spear-phishing, phone calls or other social engineering tactics to target employees with access to company finances. The grooming phase often takes several days of back and forth communication in order to build up trust. During this phase, the scammer may impersonate the CEO or another company executive and use his or her authority to pressure the employee to act quickly.

Here is an example sent to one of our Finance executives in which the sender used display name spoofing to spoof the name of our CEO. Cybercriminals will often use a free email address (notice the comcast.net domain), which can be easy to miss if you’re using a mobile device or some other client that doesn’t display the full email header.

Spear-phishing with Spoofed Display Name
Spear-phishing with Spoofed Display Name

 

 

 

 

 

 

 

 

Step 3 – Exchange of Information

phishing back accountDuring step 3, the victim is convinced that he is conducting a legitimate business transaction, and is then provided with wire transfer instructions.

Step 4 – Payment

And finally, funds are transferred and deposited into a bank account controlled by the criminal organization.Business Email Compromise bank transfer

What to Do if You Are a Victim

If you’ve suffered losses due to Business Email Compromise schemes, it is important to act quickly.

  • Contact your financial institution immediately.
  • Request your financial institution contact the institution that received the fraudulent funds.
  • Contact your local FBI office and report the incident.
  • File a complaint with the FBI’s Internet Crime Complaint Center (IC3).

You can find more detailed instructions in the FBI’s Public Service Announcement.

Want to learn more about how to protect yourself from Business Email Compromise scams? In Part 3, we’ll go over a few best practices, so check back soon!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •