Money is one of the most powerful motivators for cyber thieves all around the world. While the focus has been on financial fraud and ransomware attacks globally, the number of phishing attacks has doubled in 2021 year-on-year as per the “Phishing Activity Trends Report” by APWG[1]. Business email compromise (BEC) is a type of spear-phishing attack that involves using a targeted email-based cyberattack to fool victims into giving critical company information, accessing secret data, or making payments to scammers posing as vendors or other well-known entities. These attacks are distinct from random phishing emails as scamsters typically conduct research so that the emails can be tailored, directed to specific individuals, well-articulated, and explicit to appear legitimate.
Emails are commonly received by impersonating the email IDs and domains of the most naïve and trusted sources, such as a colleague, vendor, or partner with whom frequent payments are made, or a C-Suite leader. Cybercriminals generate similar-looking email IDs and display names, attach bogus invoices, and instructions based on logos and companies found online. Cybercriminals frequently use typosquatting, such as replacing “m” with “rn” or rearranging character strings in email IDs or links. To show a bogus identity or sender address, cyber criminals frequently use Mailsploits – email spoofing and code injection vulnerabilities. They also aim to generate pressure by including time-sensitive information such as payment deadlines, fines, and so on.
Finance and account payable departments have been the most targeted throughout the years, with requests to remit money promptly into a different account or change payment instructions for future payments alleging some urgency or an undiscovered error, among other things. These attacks are becoming more sophisticated. Since the popularity of remote working has grown in recent years, there have been reports of false emails purporting to be from employees requesting changes to payroll information, salary credit accounts, or financial contributions for a social cause, as well as employee birthdays and anniversaries. Other departments, such as HR and IT, are increasingly being targeted, with the goal of tricking employees into providing their credentials or other sensitive and personal data. After acquiring access to credentials, attackers can use them in a variety of ways, including auto-forwarding, hijacking emails – taking complete control of a mail account, installing keystroke loggers, account takeovers, malware installation, data exfiltration, and so on.
While BEC can result in financial losses, it can also have a negative impact on trust and relationships between parties. In addition to immediate cash losses, the attacks may have long-term consequences if data is exfiltrated, resulting in privacy and security breaches. This might be used by attackers to launch ransomware attacks or to sell or auction trade secrets and intellectual property (IP). From the perspective of cybersecurity, such assaults might compromise the CIA triad (Confidentiality, Integrity, and Availability), thereby impacting brand, client confidence, uptime, and compliance status.
To address this threat, a comprehensive approach to cybersecurity is required to address People, Process, and Technology. Regular security awareness training for employees should include amongst others, citing both common and newer techniques used by cybercriminals, spotting indicators of compromise, avoiding clicking unknown links, checking the legitimacy of emails and documents received by emails etc. Since regular awareness training sometimes gets uninteresting over time, some form of gamification or reward programs can be introduced for encouraging active participation from employees. Identifying critical business functions like account payables, IT etc., and having documented processes around them including matured change management process, having authorization, periodic monitoring, reconciliations, and audits help in avoiding such frauds. As technology is touching more and more aspects, companies need to understand investing in the right and optimum technology is a must. There are solutions available for email and content filtering, sandboxing, security, archiving, and continuity services. Implementing Sender Policy Framework (SPF)[2], Domain Key Identified Mail (DKIM)[3], Domain-based Message Authentication, Reporting, and Conformance (DMARC)[4], Multi-Factor Authentication (MFA), reputed password managers, Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) solutions, and End-point Detection and Response (EDR) are amongst a few security solutions that can help prevent or detect such attacks.
It’s critical to have a security policy management framework in place that includes the most significant policies, such as overall IT security, log management, and incident response, and to test it for design and effectiveness on a regular basis. In the event of such assaults, solutions such as SIEM (Security Information and Event Management) and regular SOC monitoring can point to indicators of compromise, and if necessary, the logs of important systems are available for forensic examination to avail cyber insurance.
Traditional businesses that aren’t as tech-savvy have to also rely on technology, and no one wants to be the victim of a security breach that results in financial loss. Because the threat landscape is constantly changing, a layered security model based on the Defense-in-Depth principle helps better secure several layers, including the perimeter, enterprise, application, and database. A complete strategy to cyber security that includes protection, detection, and, if necessary, containment, response, and investigation capabilities in the event of an attack is a critical component of overall Enterprise Risk Management.
Originally written for CXOtoday.com
[1] https://docs.apwg.org/reports/apwg_trends_report_q4_2021.pdf?_ga=2.58218026.181158386.1664979827-1151059543.1664979827&_gl=1*159z3sb*_ga*MTE1MTA1OTU0My4xNjY0OTc5ODI3*_ga_55RF0RHXSR*MTY2NDk3OTgyNy4xLjEuMTY2NDk3OTkyNS4wLjAuMA
[2] https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/how-office-365-uses-spf-to-prevent-spoofing?view=o365-worldwide
[3]https://www.proofpoint.com/us/threat-reference/dkim#:~:text=DKIM%20(DomainKeys%20Identified%20Mail)%20is,made%20possible%20through%20cryptographic%20authentication.
[4] https://dmarc.org/overview/
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
