Business Email Compromise Scheme Charges
US federal prosecutors are charging four people with conspiracy to commit wire fraud for their roles in a business email compromise (BEC) scheme. The individuals allegedly used phishing and social engineering to access targeted organizations’ networks and email services to conduct fraud.
The techniques used by this group point out the three key issues: (1) On the front end, reusable passwords enabled phishing attacks that gave the attackers internal access; (2) once in, they were able to operate unnoticed for long periods of time; and (3) the processes for disbursing funds had no final “out of band” check that would have required a phone call or actual old fashioned face to face check before giving away large sums of money. That final one is largely outside the control of IT security but requirement strong authentication for privileged users and reducing time to detect are clearly essential security hygiene issues. Good to see the bad guys prosecuted; better to see them unsuccessful in the first place.
Multi-factor authentication for email, and all other externally facing services is more important than ever. Stolen reusable credential use has to stop being viable. Don’t just consider what a given service does, and the risk of exposure of that service, consider what else can be done with the credentials if captured. Make sure that your CFO has adequate controls on financial transactions to not only vet changes of account or process, but also be sure that validation is out-of-band and all parties verified. You may not be involved in these business processes as cyber security professionals, consider leveraging your contacts to get the right people in a meeting to present the concern. Don’t forget to invite your contacts to participate.
Ransomware gets all the media attention, yet BEC / CEO fraud is most likely a far costlier threat in dollar terms. The FBI reported over $1.8 billion in reported losses in 2020 alone. BEC is purely a financial attack, so technically it is not a breach, which means no one reports it. While ransomware impacts an entire organization and quickly becomes public, BEC only impacts accounts payable, so quite often most of the company will be in the dark if compromised. The key to protecting against BEC is ensuring your workforce knows and understands your processes and feels safe and comfortable following them, even if someone claiming to be the CEO is screaming at them to process a payment right away.
In addition to the recommendations above, employ multi-party controls. For example, separate the privilege of setting up payees or making changes to them (e.g., name and address, destination accounts) from that of issuing payments. In addition, require two parties to approve large (e.g,, above the 90th percentile) or non-routine payments. Such controls resist both errors of omission and fraud.