BEC is perhaps the latest, or maybe hottest, security scare acronym – Business Email Compromise. It’s a catchall term which reflects the fact that ‘email is still the number one threat vector facing organisations’1. And that’s for two reasons: it’s constantly used for broad sharing of information within and outside of the business, and it’s also your digital identity – if I can access your email, I can be you. But… this has all been true for decades. So what’s new?
I think it’s this: typically, when people think about email security they think about viruses, malware, and phishing. And when we think about email scams, the most high profile ones are phishing related. The level of sophistication can be phenomenal – just look at how detailed this attacker got in order to extract substantial funds.
So here’s the new bit (yes, I’m finally getting there): in a substantial number of cases, attackers are actually compromising a corporate mailbox. I don’t mean they are sending really, really good fake emails, I mean they’ve actually got the credentials to log into the CEO’s email, or someone else in the business. Recent research found that 44% of organisations were victims of account takeover-based and related types of attacks2. This makes it pretty much impossible for anyone in the company to spot when the email they receive was not really from the purported sender.
In a recent example at Save the Children, ‘hackers broke into a worker’s e-mail, posed as an employee, and created false invoices and other documents, to fool the charity into sending nearly $1 million to a fraudulent entity in Japan’3. Just a few days ago, thousands of sensitive documents were stolen by hackers in a cyber-attack on the investment bank Evercore: the hackers gained access a PA’s inbox, leading to the theft of huge numbers of documents and emails4.
Some subtle attackers have a different approach: compromise the account, but don’t send any emails. Instead, simply put in place an inbox rule to forward emails from the compromised account to the attacker. Numerous customers have told me they have suffered from precisely this attack (no, not giving any names, sorry), and it’s even possible to hide the rules so they cannot be seen in an Outlook client5.
Which all leads to two really good questions:
How is it happening? How do I protect my company?
The answer to the first is, unsurprisingly, not straightforward. Phishing of one sort or another is frequently the starting point, and there’s an increasing number of vectors which are now defeating even multi-factor authentication (MFA). That’s a bit too detailed for this article and is well worth a blog on its own, so watch this space – I’ll get right to it.
And for the second, no big surprise, no single answer. User awareness education helps (reducing the chance that your team members succumb to phishing attacks, helping them identify malicious WiFi, etc). Automated tools to identify dodgy emails and rogue websites, can be part of your armoury. And as I imply above, MFA makes it tougher, but not impossible, for the attacker.
Ultimately, though, all these approaches can be, and in many cases will be, defeated. This leaves you with perhaps the most critical defence: monitoring and detection. You need to identify immediately an attacker has compromised an email account in your environment. This can be done by accurate analysis of typical user behaviour and is at the heart of the IDECSI Personal Security Guardian. I won’t say more here, but this earlier blog post gives you a good flavour.
Credit: Ben Miller, Idecsi