Business Email Compromise (BEC)
Business Email Compromise (BEC) is a common type of attack in which criminals will attempt to gain access to company email accounts. A large portion of these attacks focus their efforts on attempting to fraudulently obtain company funds by tricking employees into performing wire transfers to accounts under control of the criminal. The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center’s reported $26.2 billion dollars in domestic and international losses between June 2016 and July 2019. While that is a large number, it is not just the famous cases that you hear about that account for the losses. Logic Speak has a couple of clients that have been targeted and earlier in 2020 heard from the Secret Service that oftentimes smaller companies are easier to access than larger organizations.
In other cases, these attacks are used to steal sensitive company information or as an initial foothold leading to gaining access to computers on the network. Finally, attackers can use the compromised email account as a launching point for other attacks, often targeting the vendors and clients of the company that was compromised. Read more about it from the FBI.
The most common sources of a BEC attack are phishing emails which entice a user to enter their credentials on a website owned by the attacker, malware installed on the computer, or from reuse of passwords that were used on other sites which have experienced a compromise and breach. In the case of reused passwords, the email accounts don’t even necessarily need to match; if the attacker has real names associated with accounts from a compromise and breach, they can use that to search LinkedIn and other sites for business or other email addresses associated with that name and then try the passwords they gained from the breach. Once the attackers have a set of working credentials, they can log into the email account and begin their work.
Ready to get started?
BEC attacks have several indicators which, when monitored for, can allow for early detection and mitigation. Attackers will often set up forwarding rules to redirect or send copies of email to an email address outside of the organization. They may also create new accounts and/or grant administrative permissions to accounts they have access to. Without monitoring, BEC events can lie undiscovered for months.
Recently Logic Speak’s monitoring identified a mail account at a client which started forwarding email to an unrecognized Gmail account. Upon calling the owner of the mailbox to verify whether this was forwarding they had created; it was determined their account had been compromised. In addition to the forwarding rule, other rules were found marking emails that met certain criteria as read and moving them out of the Inbox. Further investigation found that the attacker had used the mailbox credentials to add the account to the mail client on a mobile phone. By acting swiftly to remove the unwanted mailbox rules, revoke all unauthorized access, and reset passwords, Logic Speak was able to restore full access to the mailbox and secure it from the attacker.
Find out more about Cybersecurity services.