The threat landscape has changed dramatically since I first began working for Pivotal IT. Back then, Ransomware was the attack du jour – and a business continuity solution or a well-timed backup could save the day (and the data.)
Cybercriminals are doing their homework, working together and employing several tried-and-true tactics to deploy well-crafted attacks. Ransomware is on the decline and persistent attacks that better evade detection are on the rise. Business Email Compromise (BEC) and Email Account Compromise (EAC) are now the attack of choice and there is currently no single software or program that can detect and stop these types of attacks.
According to FBI data, businesses lose 51 percent more money to BEC attacks then ransomware. Between 2020 and 2021 BEC attacks increased by 39%, costing US businesses over $2.4 billion dollars. Ransomware losses during that same time period totaled just over $4.9 million. BEC attacks are considered a theft and often not reported, since they involve money and not data or Personally Identifiable Information and the amount lost to BEC represents only the losses reported to the FBI.
With BEC/EAC scams, initial access to the target network is typically gained by using compromised credentials (e.g., a reused password, usernames and passwords leaked in a data breach or purchased from the Dark Web) in credential stuffing attacks and phishing. Antivirus and other security protections detect and defend against most types of threats, but many BEC/EAC scams do not use malicious links or attachments, making it easier for them to evade detection from antivirus and email filtering. Some attacks have been found using reCAPTCHA to prevent being flagged by automated threat hunting software.
Once inside the network, they lay in wait to gather information, additional credentials and research company contacts and vendors. Attackers “get to know” their targets by viewing social media profiles, observing processes and conversation patterns. Typically, they create email rules to hide their activity and often create typo squat domains of the target organization and/or vendors to craft email address that resemble actual employees and contacts. A recent investigation from Microsoft’s Security Intelligence Team found that it only took a couple of hours for an attacker to complete a BEC attack - from signing in using compromised credentials to registering the typo squatting domains and hijacking an email thread.
With a foothold in the network and armed with all the details, attackers wait for the perfect time to send an email or insert themselves into an email thread. When an end user receives a well-crafted email from an imposter posing as a client, vendor or supervisor with an urgent request to change an address, update banking details or purchase gift cards, it can be easy for them to miss the extra letter or character in a typo squatted domain – and that is exactly what the attackers are counting on.
PROTECTING YOUR BUSINESS FROM BEC/EAC ATTACKS
As with other threats, end users are your best and last line of defense. Though nothing can offer 100% protection from BEC/EAC scams, the items below will go a long way toward helping you protect your business against Business Email Compromise and other cyber threats.
Multi Factor Authentication – Enabling MFA throughout your organization adds an important layer of security. Although MFA cannot guarantee to stop all cyberattacks, it can help protect systems, accounts, email access and limit the usefulness of compromised credentials.
Access Controls – Operating under the concept of least privilege and restricting access rights to the minimum required for each user or group to do their job, can help to minimize security risks and potential damages, should a security breach occur.
Verification / Processes
• Have a verification process (both internal and with vendors) for account changes and large transactions.
• Call to verify any account changes and requests for the movement of funds.
• Never use the “reply” button for an email requesting account or banking changes. If you are unable to call and must reply to the email – compose a new email using the address in your address book/ contact list or manually type in the correct email address.
End User Security Training – Annual Cybersecurity Training can help end users better understand current threats and how to identify them. Ongoing Cybersecurity Training provides timely, relevant information and helps keep security and best practices top of mind.
.svg)