Business Email Compromise: How to protect your organization

Jan Hutchins
Senior Security Consultant
CyberCX

An evolving threat landscape

The ransomware threat is now a reasonably well-developed and understood one by security companies and their clients alike, but as with all aspects of the cybersphere, the landscape is fluid and rapidly evolving.

While some arguably counterintuitive management tactics such as ransomware insurance are offered, education and mitigating measures against these sorts of attacks are becoming more mature. As such, industry opinion is starting to consider that potential ransomware targets are not as soft as they once were, leading those behind reasonably sophisticated ransomware teams to be on the hunt for new, lucrative pastures.

What is Business Email Compromise?

One such attack, while not new, has got great abuse potential, particularly if leveraged as part of existing ransomware deployment frameworks.

The Business Email Compromise (BEC) is a comparatively less technical type of threat, capitalising on what is often the weakest security link in any technology chain; the user.

Through various social engineering campaigns, or potentially more traditional methods such as password guessing, spear-phishing or shoulder-surfing, the aim is often to compromise the e-mail account of a higher-profile identity and use it to make fraudulent requests or transactions

Types of Business Email Compromise

Types of Business Email Compromise are only limited by the time available and imagination of the attacker; fake invoices, access requests, false IT tickets, approvals for cash transfers or even work contracts are all examples of things seen in the real world. Anything that can leverage a trusted position is a valuable target.

Cyber awareness and education

Although most companies now have reasonable cyber awareness and education campaigns and their administrators are aware of the threats that they face; servers are still sometimes left unpatched and users still set guessable passwords, even if they conform to policy.

We in the cyber security industry are becoming better educators, but further efforts need to be made in this space. While things like password guessing attacks still work and exploits remain viable, user accounts will continue to be compromised – this is a key tenet of the BEC attack and what makes it such a juicy target. Reasonably modest outlay for the reward of a trusted position as a foothold to stage further campaigns from. A probability game that requires no further technical expertise to execute attacks.

Such attacks blur the trust lines we try so hard to define. It’s far easier to suspect or analyse communications that come from external sources, beyond our metaphorical walls; but once such a threat has already established itself in an organization, why would any sane person question directives from an apparently trustworthy source? Not only is that kind of vigilance too much to ask for from end users, but it can’t really be combatted by any technological measures. Granted, some business process understanding would need to be garnered in order to subvert it, but such a task is trivial given enough time.

A malicious party speaking as if they were from the accounts department with knowledge of process and the correct lingo would undoubtedly be in a strong position…

How to prevent BEC Fraud

So what can we do to protect ourselves against such potentially emerging threats?

Without wanting to cop-out, we don’t need to reinvent the wheel or provide new revelations. We need to build on the good work that our industry has been making and use our trademark adaptability to provide genuine and engaging education programmes to our clients and their employees. We need to continue to provide knowledge to enable frameworks that administrators can build on to ensure that they’re getting the easy wins right – hopefully stopping these treats at source by implementing good user access management, multifactor authentication, build reviews of externally-facing assets and secure routes to internal resources.

But we also need to work with our colleagues responsible for business processes. Security is not out in a silo of its own, it needs to be woven into the very fabric of our businesses, living and breathing – beyond only the technology stacks that we work with. We are the ones who now need to step up and facilitate that.