Business Email Compromise Attacks

We have talked about Phishing and Social Engineering in other blogs and the standard precautions you can take to help thwart cyber criminals attempts at fraud.

Business Email Compromise (BEC) is a form of cyber crime which uses email fraud to attack commercial, Government and non-profit organizations to achieve a specific outcome which negatively impacts the targets organization. Examples of common BEC attacks include invoice scams and spear phishing spoof attacks which are designed to gather data for other criminal activities. Often consumer privacy breaches occur as a results of a BEC attack.

If you are a consumer, then please continue reading as this will apply to you in some form, especially if you process financial transactions at work.

How does this differ from Phishing?

Phishing is typically when you receive an email that claims to be some form of offer, or request for information that is fraudulent. The emails can look genuine (e.g. from your bank), and can trick a lot of people into disclosing their login credentials or key banking information. among other things.

A Business Email Compromise Attack differs in that the email address is often spoofed in some way that makes you believe it is from a legitimate source (sometimes also seen in social engineering attacks). Emails could appear to come from a senior employee (e.g. a CEO) which would escalate the urgency of the request. It often targets specific employee roles (e.g. a payments or billing team).

To initiate an attack a scammer might:

• Spoof an email account or website
• Send Spearphishing emails
• Use Malware
• Use public surveillance.
• Email Intercept’s.

A spoofed email address or website could be a cousin domain. For example:

contact@example123.com
offers@marketting.example.com
https://offers.example.com
https://blog.example.com
https://example.net

where the actual domain might be:

example.com

We see these all the time in emails from our banks and online shopping sites. Personally I think these should not be used as there is no way anyone can correctly identify whether or not the address is legitimate or fake. See also our guidance on Domain Typo Squatting and Open Redirects & Malware Installers.

If you have access to the Domain Name Service, setting these up with the appropriate redirection is trivial. As a result you should guard the login details to your DNS service (often at the register of the domain but can be elsewhere) with the normal precautions (unique, long and complex password as well as second factor – see our guidance on this).

A Spearphishing email might look like it came from a legitimate sender, may even contain all the correct branding and wording and appear to come from a trusted source (e.g. the purchasing department, a CEO or CFO). However, the objective is to trick the recipient into clicking on a link that then leads them to a malicious website that is often spoofed to look like the legitimate website. It is by no means impossible to clone a website and there is freely available software that performs this task.

Aside: Use of website cloning software has a legitimate use in the development and testing of a website. For example, if a bug or vulnerability is found on a compromised website, cloning the actual website will give the testers a safe copy to analyse.

Malware can be used to infiltrate the company’s network and gain access to email accounts that contain actual invoices and billing information. This information is then used to craft a very specific email in a Spearphishing attack and to time these emails to coincide with actual billing cycles and approvals.

It can also be used to target specific approvers, especially where approval for an amount requires additional signatures/approval steps. For example one person can approve payments up to £1000. Amounts above £1000 and up to £50,000 required two approvers and so on. By targeting the lower approval amounts it is more likely that an attacker can be successful.

Public Surveillance involves looking up company records and individuals working at the company:

• On the Company’s website
• Through publicly available Companies House financial reporting and who the directors of a company are (UK)
• Social Media, especially sites like LinkedIn and Facebook
• Publicly available tax records
• Networking Groups.

Email can be intercepted as by its design email is sent as plain text and is not encrypted by default. As a result your email can be intercepted by a cyber criminal and read and be used as intelligence to initiate the BEC campaign. The information gathered in this way can help the attacker to craft the email so that it appears to come from senior company officers. As a result, all email sent to clients, especially with confidential and/or financial information in it, should be sent encrypted.

How can I combat Spoofed Email Addresses?

This requires technology to be implemented on the email servers of your organisation as well as customised setups on the Domain. This is going to get technical.

Several technologies exist:

• Sender Policy Framework (SPF)
• DomainKeys Identified Mail (DKIM)
• Domain-based Message Authentication, Reporting & Conformance (DMARC).

Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses during the delivery of the email. SPF alone is limited to detect a forged sender claimed in the envelope of the email which is used when the mail gets bounced. Only in combination with DMARC can it be used to detect the forging of the visible sender in emails (email spoofing).

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails. DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message. The recipient system can verify this by looking up the sender’s public key published in the Domain Name Server (DNS). A valid signature also guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed. Usually, DKIM signatures are not visible to end-users, and are affixed or verified by the infrastructure rather than the message’s authors and recipients.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use (spoofing). The purpose and primary outcome of implementing DMARC is to protect a domain from being used in BEC attacks, phishing emails, email scams and other cyber threat activities.

DMARC is used with SPF and DKIM to provide a full authentication solution. A simplified explanation of how this all works is shown in the following diagram:

To setup DMARC you need to set up policies relating to what happens when authentication fails:

• Quarantine – the email is quarantined at the receivers email server and can be manually approved for delivery or routed to a Junk folder at the discretion of the manager of the receiving email server
• Reject – the email is sent back to the sender as a rejected email.

The system will also produce various reports:

• Aggregate Reports
• Forensic Reports, also known as Failed Reports.

The administrator can use these reports to manage the DMARC configuration and detect if there is a particular BEC campaign being waged against the organisation.

This is not a consumer service. This is largely a business related configuration that requires additional software at both the sender and receiver as well as customised DNS records to be implemented on the DNS server managing the routing of the email.

Major cloud providers can implement this for you where your email is outsourced. For the following providers see their websites:

• Microsoft 365
• Google G-Suite.

Contact your cloud provider for their specific details. It should be noted that switching this level of authentication on will probably involve extra cost.

If you are interested in investigating this further, then you can look at the following websites:

• DMARC at the DMARC organisation and Wikipedia
• SPF at Wikipedia
• DKIM at Wikipedia.

Email Encryption

Your organisation will probably have a means to encrypt your emails that require the recipient to have a unique password to access the encrypted portion of the email – this is how you do it using Microsoft’s Outlook.

Most email clients can implement the PGP (Pretty Good Privacy) encryption method that requires a public and a private encryption key and is very much the standard approach for most industrial strength encryption. However, this can get technical.

You can also use an encrypted email service (e.g. Proton Mail). However, this will in all likelihood require both the sender and recipient to be on the same service. Proton Mail does allow email to be retrieved via a standard email client by providing a link to the encrypted portion of the email.

Having email encrypted as standard also forces the recipient to have the correct decryption keys and./or passwords established on their end. This is another way to authenticate the email since it is unlikely that a cyber criminal would have your private encryption key or password.

If you really want to be very private, then there are various encrypted and highly private email services on the TOIR network. However, unless you really need this, I suggest you stay with the more freely available methods.

What else can Companies do?

The standard advice I give for this is to be aware and identify anything that does not look right. Our social engineering guidance is a good place to start. This applies to all users – both in companies and consumers.

For companies, the following procedures should be set up.

Approval levels:

Specific individuals in your company should have approval levels for transactions. For example:

• Level 1 up to £1000, Team Leader must approve
• Level 2 up to £10,000, Department Manager must approve
• Level 3 up to £50,000, Regional Head must approve
• Level 4 above £50,000, Board member must approve.

Establish authentication procedures:

• All inbound email is scrutinised by the receiving team to determine if it is a value bearing instruction (e,g. a Payment, a Securities movement)
• Value bearing instructions are processed through an approvals process against validated signatures and approval limits, and potentially call the sender for approval against a pre-arranged phone number
• Once validated the email is recorded in some way with the appropriate approvals stamped electronically on the document.

• Establish standard payment and settlement instructions:

• For cash payments, establish the banking details of the account (e.g. in the UK this would be the Sort Code and Account Number, and for the EU payments their IBAN number and other formats for other countries) and record them in a secure database
• For securities movements you would need to execute the trade through the required stock exchange and/or clearer and you should know the account numbers at these organisations which also need to be secured
• These transaction credentials should be defaulted in your payment/trading system and would require an override authorisation to change them from the default
• Establish whether or not you have a standard Payment/Settlement instruction, and if not then the transaction should be rejected and not processed until one is provided and approved.

Authenticate any change to Standard Payment/Settlement Instructions by following a similar procedure for authenticating a payment/settlement instruction.

Establish Anti-Money Laundering procedures and a robust Know Your Customer (KYC) process so that you know who you are doing business with. Observe the various sanctions lists (e.g. OFAC in the US, EU sanctions Lists and the UK equivalent). If you are found to be executing transactions benefiting crime or terrorism, this is punishable under UK law and similar laws in other countries. Also note that even if you are a UK organisation, the sanctions list of other countries will also apply if you are doing business with those countries.

Establish a Training Regime for all financial risk factors and especially the sanctions lists and anti-money laundering. In the financial sector in the UK, this is mandated by the regulators for all employees.

What can Consumers do?

Consumers should adopt a lightweight version of the above by:

• Establishing approved Payees in their online banking service
• Checking if the payment request has come from the company through an official channel (e.g. Online Banking, a vendor/online shopping web site)
• Anything above a particular amount should be scrutinised and extra caution paid
• If the payment looks wrong, or is unexpected, then call the person/company invoicing you to confirm they have sent it to you and the amount.

Anything sent to you via email will in all likelihood have a counterpart on the website of the organisation invoicing you – assuming you have requested paperless invoicing, which could be a tell-tale sign of a fake invoice.

Guarding your Domain Name

In the ‘.net’ example above (under domain spoofing), this could be a legitimate use of the high level domain to indicate a networked service offering provided by the company. However, it is possible that the owner of the ‘.com’ domain hadn’t also registered other high level domain variants (.net, .co.uk, .uk, .biz, .info) and a cyber criminal has registered it in their place to use in a BEC/spoofing attack. Therefore, if you are planning to go online with your business then you need to register all available variants of the domain name you are using and redirect them at the DNS server to forward to your primary domain (normally the .com or .co.uk variant). For ones that you can’t register, arrange for these to be watched in case they become vacant or offer to buy the domain from the current owner.

If you have a domain name that is not currently in use, then these can be hijacked to send Social Engineering and BEC attacks. Here is some advice from the NCSC on securing parked domain names, which I suggest you look into and get set up at your DNS service.

Cyber Enabled Fraud

So far I have focused on the FBI definition of Business Email Compromise. This can be described in a broader sense through a definition of Cyber Enabled Fraud as follows:

A sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly preform payments, including cross border payments. These scams have evolved to also target Personal Identifiable Information (PII) for employees of clients. These scams can also target individuals (e.g. real-estate purchasers, the elderly) by convincing them to make payments to bank accounts controlled by criminals.

The attack vector doesn’t just limit itself to email. The attack vector can be any computing enabled method, such as:

• Email (BEC)
• Fax
• Telephone
• SMS/Instant Messaging.

The net result is the same – a cyber criminal want s you to execute some form of fraudulent payment or transaction. The same guidance above should be applied to all these communication methods.

Secure Processing of Payments

You should be using some form of authenticated and secure method of accepting instructions, such as:

• For the financial sector, SWIFT is the preferred choice as it is both secure and guarantees delivery
• Secure Portals provided by clearers and the stock markets should be used wherever possible for securities transactions
• Secure payment portals provided by the major credit card companies, Banks and a number of independent organisations should be used in preference to developing your own payment platform for taking payments
• Bank Transfers (e.g. BACS for the UK) should be used rather than using cash.

It is also acceptable to use authenticated and secure API’s using the HTTPS protocol to link your processing applications to those of the organisation you are instructing.

If you are a consumer, then consider using bank transfers through online banking instead of sending cheques or cash. In online transactions use something like PayPal, or similar, or have a separate credit card for online transactions and another for in person transactions. Try to use a Direct Debit or Standing Order for regular payments.

Conclusion

Email was designed in a simpler age when the internet was used by a group of academics and military organisations over closed networks and tied teletype terminals with a direct interface into the mainframe computer. As a result, security was not built in and if it were designed today it would never be designed in this fashion.

Email is the bain of modern commerce. It is unencrypted, insecure and open to abuse.

If you are a company then accepting payment/settlement instructions over email should be eradicated from your organisation. If you are a start-up, then don’t even start using email for financial transactions. The same applies to Fax, telephone, IM/SMS.

Consumers also need to be vigilant since there are a lot of frauds that fall outside the realm of BEC that they can fall foul of that are cyber enabled.

A lot of the technical mitigations require someone who understands DNS as well as additional software to be installed on the email servers. This can be done by your cloud provider or internally if you run your own servers. However, this does require expertise, so non technical people should not attempt this.

One thing missing from this blog is a load of case studies to prove the point. I thought it was heavy enough without adding this. However, we do re-post a lot of the published reports of cyber attacks, including BEC attacks, on our twitter feed. This is also where you can gather additional intelligence about what is happening in the world relating to the latest security issues.

---

Headline image provided by Yogas Design on Unsplash