Have you heard about Business Email Compromise? If it hasn’t happened to your company yet, you’re one of the lucky ones.
The development of the Internet and email in the last few decades has had a profound impact on businesses and the way they operate. As industry has shifted to using electronic communication, we are hearing about Business Email Compromises (BEC) more and more. From our clients to news reports, BEC is growing as one of the largest compromise categories under the Cyber Security umbrella. According to the latest report by the Financial Crimes Enforcement Network (FinCEN), since 2016 32,000 BECs have been reported, totalling approximately 9 Billion US Dollars stolen from companies in America alone. Between 2013 and 2018 a combined total of 12 Billion US Dollars was estimated lost due to this fraud internationally. However, these numbers are based only on the losses that are actually reported to government organisations, meaning many more businesses have been, and could be, at risk.
Business Email Compromise is when an illegitimate user gains access to an employee’s email account. This is most commonly accomplished by a phishing scam.
A Phishing Scam is a malicious email that appears legitimate, containing either an attachment or link that captures the account holder’s email credentials. The term phishing is used as an illustration of a fish caught on a hook. You may also hear the term whaling or spear phishing which refers to targeting specific executives or individuals, respectively, rather than casting a wider net to target an entire organisation.
As public awareness grows, phishing scams have increased their sophistication out of necessity in order to fool their recipients. Scammers create phishing emails imitating known brands, such as Amazon, FedEx, Microsoft Office 365, various banks and other large companies, using recognisable logos and email form characteristics. These emails usually include an urgent request to verify, confirm, or edit account information, and also provide a link directly to the account login screen. These illegitimate links may be difficult to spot, and the webpage may be convincingly accurate, but when the user’s credentials are entered, they are delivered to the hacker instead.
A good practice is to avoid following links within emails, instead access your account via your preferred web browser to check your account status.
Once the hacker has successfully extracted the user’s credentials and accessed the compromised account, the hacker has free reign to review ongoing email correspondence and identify an opportunity to intercept a transaction. For example, let’s say that an employee called Alice falls victim to a phishing email she received in her work email account. We’ll call the hacker “John”. John can use Alice’s email credentials to log into her account and spend some time reading through her recent emails. John notices that earlier that morning Alice sent an invoice to Tony for recent services provided. Using Alice’s email account, Alice’s email signature, and the invoice previously sent to Tony, John drafts a new email explaining that the bank details provided on the original invoice are incorrect and sends the ‘corrected’ invoice and bank details back with false information.
A change in an organisation’s banking information is a red flag. A good practice is to confirm such changes via an alternative means of communication.
Unfortunately, Tony is not concerned by the updated information and does not contact Alice via any alternative means in order to confirm the new instructions. Tony pays the invoice and sends a reply to the second email composed by John confirming payment:
The invoice is paid. As requested, I have updated your bank details on my end.
John is in a position to manipulate the email correspondence. He can both email Tony as Alice and can also intercept Tony’s emails before Alice receives them. But John does not have access to Tony’s email account. This is where spoofing comes in. Email spoofing is different from phishing, and this term is used to describe the emails a hacker must fabricate in order to give the appearance that they originate from the uncompromised party in the transaction.
John deletes Tony’s reply to Alice and sends Alice a new email from Tony:
The invoice is paid.
This email didn’t really come from Tony, or even Tony’s email account. But as far as Alice can tell, the email shows that it was sent from Tony’s email address and she doesn’t question it. It’s not until a few days later, when Alice notices that Tony’s payment has not been received. Alice calls Tony, as he is a good customer and is always reliable when paying his invoices. Tony tells Alice that he made the payment to the new bank account.
In most cases, by the time the money is noticed missing, it is too late for recovery. An investigation may be necessary if the two parties dispute who is at fault; however, a follow up investigation can be beneficial to identify compromise and prevent future access.
It is also very common that neither party is willing to admit fault, because to both sides the emails all appear legitimate. A forensic investigation of the emails can distinguish between spoofed and legitimate emails. A review of account access logs can also identify illegitimate logins. Using these records, Hawkins can establish an approximate date when the credentials were compromised, and review emails received around that time to identify the phishing email.
If your organisation is interested in hearing more about methods for the prevention and early detection of BECs, please contact us to schedule a presentation.
If you are seeking a career in forensic consultancy, email us at [email protected] and attach your CV together with a summary of your area of experise, experience, and what you can bring to the team.
Submitting this contact form will enter your details into our contacts database and we will reply to your request as soon as possible. We will also retain your details so we may contact you from time to time. You can ask us to remove your details at any time. For details, see our Privacy Notice.