Business Email Compromise (BEC) is when an email account, often in a company’s finance department, is broken into and controlled by a hacker. This is often accomplished through a phishing attack that leads to credential theft as outlined in CyberHoot’s article titled the ‘Domino Attack’. Credentials are stolen when a victim clicks on a fraudulent phishing email link or opens a fake invoice. Doing this brings the victim to a malicious but believable website identical to the real vendor’s website, that prompts the user to enter their email and password. BEC attacks often come from someone your CFO already knows, meaning the sending email address is actually correct and expected. It usually turns out that the other finance person’s email has been compromised by hackers who are now targeting your financial officers. Thus the domino’s continue to fall company by company.
Once a hacker enters a CFO’s email account, they read through their financial emails looking for wire transactions. They strike at just the right moment, redirecting a normal wire transfer with fraudulent wiring instructions directly into your email-based wiring conversation. The success of these scams rests exclusively upon both parties never authenticating new wiring instructions outside of email such as over the phone. Not confirming all wiring instruction changes over the phone or in person results in billions of dollars being wired into hacker accounts all over the world every year. These fraudulently wired funds are rarely recovered. Some examples given by the FBI of real cases are:
- A vendor your company regularly deals with sends an invoice with an updated mailing address.
- A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
- A homebuyer receives a message from his title company with instructions on how to wire his down payment.
What does this mean for an SMB?
- ALL changes to wiring instructions must be confirmed outside of email, preferably via a phone call, zoom meeting, or the postal service.
- Establish accurate wiring instructions with all parties.
- Do not dial a phone number supplied in a (potentially) fraudulent email to validate new wiring instructions. That phone number is also likely fake.
- Lookup the phone number for your contact from a trusted source (i.e. their website) and call to verify and validate.
In addition to having a strong Wire Transfer Process in place, CyberHoot recommends taking the following actions as well:
- Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
- Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
- Govern employees with policies and procedures in addition to your WTP. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
- Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, deploy DNS protection, antivirus, and anti-malware on all your endpoints.
- In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
- If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
- Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.