The menace of Business Email Compromise (BEC) is often overshadowed by ransomware but it’s something small and medium-sized businesses shouldn’t lose sight of.
Bang on cue, the FBI Internet Crime Complaint Center (IC3) has alerted US businesses to ongoing attacks targeting organisations using Microsoft Office 365 and Google G Suite.
Warnings about BEC are ten-a-penny but this one refers specifically to those carried out against the two largest hosted email services, and the FBI believes that SMEs, with their limited IT resources, are most at risk of these types of scams:
Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite.
As organisations move to hosted email, criminals migrate to follow them.
As with all types of BEC, after breaking into the account, criminals look for evidence of financial transactions, later impersonating employees to redirect payments to themselves.
For good measure, they’ll often also launch phishing attacks on contacts to grab even more credentials, and so the crime feeds itself a steady supply of new victims.
The deeper question is why BEC scams continue to be such a problem when it’s well understood that they can be defended against using technologies such as multi-factor authentication (MFA).
One answer is that older email systems don’t support such technologies, a point Microsoft made recently when the company revealed that legacy protocols such as SMTP and IMAP correlated to a markedly higher chance of compromise.
Lacking that, such accounts immediately become vulnerable to password weaknesses such as re-use.
Turn on MFA
One takeaway is that despite the rise in BEC attacks on hosted email, this type of email is still more secure than the alternatives provided admins turn on the security features that come with it.
For organisations worried about BEC, the FBI has the following general advice:
- Enable multi-factor authentication for all email accounts
- Verify all payment changes via a known telephone number or in-person
And for hosted email admins:
- Prohibit automatic forwarding of email to external addresses
- Add an email banner to messages coming from outside your organization
- Ensure mailbox logon and settings changes are logged and retained for at least 90 days
- Enable alerts for suspicious activity such as foreign logins
- Enable security features that block malicious email such as anti-phishing and anti-spoofing policies
- Configure Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and to validate email
The FBI also recommends that you prohibit legacy protocols that can be used to circumvent multi-factor authentication, although this needs to be done with care as some older applications might still depend on these.
It’s a pity the IC3 sometimes puts out useful advice like this using Private Industry Notifications (PINs), a narrowcast version of the public warnings issued on the organisation’s website.
Report a BEC
Law enforcement agencies can’t fight what they don’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.
In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud. If you’d like to know how Sophos can help protect you against BEC, read the Sophos News article Would you fall for a BEC attack?