How to Stop and Overcome a Business Email Compromise Attack

Episode Resources:

• Resilience Cybersecurity & Data Privacy

• Best Small Business VPN Services – Resilience Cybersecurity & Data Privacy

• 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy

• How To Destroy Perfectly Good Cybersecurity Policies – Resilience Cybersecurity & Data Privacy

• The Top Reason Businesses Make a Cyber Insurance Claim – Business Email Compromise – BitDefender Business Insights Blog

• BEC Attacks Surge 81% in 2022 – infoSecurity Group

• Top 15 email security best practices for 2023 – TechTarget Security

• Majority of data security incidents caused by insiders – IT Security Guru

• 7 Tips for an Effective Employee Security Awareness Program – DARKReading Threat Intelligence

• Over Half of Employees Don’t Adhere to Email Security Protocols – infoSecurity Group

• Email fatigue among users opens doors for cybercriminals – Bleeping Computer

• Punishing Cybersecurity Errors Found to be Counterproductive – infoSecurity Group

Episode Transcript

Brian: Hey everybody, welcome to the Fearless Paranoia podcast. Thank you for joining us today we are here demystifying the world of cybersecurity, making it reasonable, accessible, understandable to everybody out there. I am Brian, the cybersecurity attorney,

Ryan: And I’m Ryan, a cybersecurity architect.

Brian: And today we’re gonna be talking about an interesting subject, it’s really the cause of a lot of effects that you hear about, I’m gonna tell you just a quick story, there was a person who was buying a house and they were buying a house in a different state, they had to sell the house they lived in they, which they did, they were all set to have the money from that sale transferred to the seller of the house, that they’re buying very traditional standard real estate deal, you know, here’s the house, okay, here’s the bank account, send the money to Alright, send the money. Well, the day of the closing, they got an email saying that, hey, there’s a review going on at this bank of this account. We can’t wire anything in and out and we just send it to another place they email, and the instructions were in a format that if you looked at it quickly look like the letterhead that this other law firm had sent. Now interestingly, if you’re a practicing lawyer, there were some gigantic red flags. But once you only really learn about after you read correspondence from a law firm back and forth, for example, the names of the attorneys had asterisks next to them, which is very common, but nowhere else in the page did it list what the asterisks were for, usually, it’s licensed in multiple states, blah, blah, blah, but they didn’t have anything anywhere. That would have had a gigantic red flag for practicing attorney but not to someone who wasn’t. These new instructions were to a different bank. And the people on the receiving end of the instructions didn’t look very closely and sent a wire of $700,000 to a bank that had just been named to them. Well, it turned out that several days before this happened, someone had gained access to the email of one of the realtors, that person had managed to gain enough information from reading that Realtors email to know about this real estate transaction to know when it was going down to know the names of the people involved. They spoofed an email address of one of the people involved and started sending correspondence from that address in the very tone that that person had used in their own emails, and through that spoofed email address had convinced someone else to send money to the wrong account. That wrong account immediately forwarded that money to China and only some of the money could be recovered. That is actually a true story. And it involves what we’re talking about today called business email compromise. Ryan, give us an understanding what does business email compromise mean.

Ryan: The majority of it is right there in the title. This is the use of a compromised business email account to act on behalf of that compromised user or to try to solicit some activity from inside the business that would be otherwise unnatural under the guise of a regular request. It’s some attempt to just use persuasion deception to achieve the typical goals of either financial benefit or a larger foothold or access to information or something along those lines. And typically, it tends to be financially motivated is where a lot of those kind of tend to lead, especially in the newsworthy ones. Exactly. And so yeah, business email compromise is a growing threat, it falls right in there with any other major compromise phishing and business email compromise are some of the most common ways to try to use this as an initial point of compromise, because it involves using the human interaction in the chain and exploiting that piece, which in a lot of cases tends to be one of the weaker legs.

Brian: I was listening to a legal ethics discussion recently. And no, I don’t do that for fun that’s required by the state bar. But there was a discussion on the ethics of using text messages with your clients. And if you’re baffled that that would actually be a discussion in 2023. Don’t be this is the legal profession we’re talking about. But it’s this idea that you know, people are communicating by text, do so in a more conversational but abbreviated manner than you would in real life. And therefore, it’s oftentimes less formal. And the common distinction really though, is when you’re discussing along those lines of written communication is the difference between an email and a Letter People are much more formal little letter than they are an email that’s always been a big concern about email in general. And despite the fact email has been around as a primary tool for business for more than 30 years. Now, it occurs to me that email has progressively gotten less formal in that time that even when it first came out, and people were concerned about how informal users were versus a letter, I don’t think that has actually improved. And that is one of the major reasons why a business email compromise is such a popular way for hackers to get in because people seem to have let their guard down somewhat when they read and send emails.

Ryan: And it’s become a lot more common in today’s age to interact with things like emails, previously, things like text messages, were very non interactive, can send a reply, but it was very uncommon to get links or even pictures or in early emails, that was usually just straight texts back and forth, which again, is very not interactive email was kind of one of the first real widespread communication methods where we could send interactive tools back and forth. We can put links in there that can direct you to this site that hey, you need to go see this because there’s funny pictures of penguins walking around, you know, or sliding down a hill, or here, let me insert this picture. So, you can just see it direct, you don’t even need to go to the link. So it opened up a lot of new kind of just evolutions of that technology, that initial communication that weren’t there before. And of course, just like anything else, the unfortunate part is where you’re going to develop a new feature a new enhancement, somebody’s going to look for a way to exploit that, or the technology that’s being used to deliver it. And with that business, email compromise critical, because we’ve made email much more interactive, much flashy, or much prettier, much more filled with content that was engaging. And all of those different pieces of content have different features to them that unfortunately, can be exploited in different ways. So, email just became the funnel point for a lot of that because it takes all of those different potential exploitable technologies and funnels them right at the user aspect, which again, has always been one of the favorite spot for bad actors to go to.

Brian: Well, yeah, I mean, I guess if the basics are if you’re a hacker you need to get in, you want to get in the easiest way is through a door and you can try to pick a lock. But isn’t it easier to ring the doorbell? Have someone come to the door, open it and ask a question. And even though you know only one in 100 are going to listen to you and let you in all it takes is that one and you’re in your past the security you’ve gotten through the gates, you still have to deal with what happens once you’re inside, but you’re at least past that first part. So, let’s talk about the compromise part of this. Obviously, we get the business and the email compromise. How does the compromise tend to happen in a business email compromise?

Ryan: Well, so business email compromise the how isn’t always a true compromise, but in a lot of cases they can be. So, the couple different ways that the business email compromise will start is let’s start from outside the compromise first, and then we’ll work our way in towards it compromise would be the easiest way, because you’ve got some legitimacy behind the attempts that you’re going to use. There are less impressive ways and a little bit easier to detect ways things like domain spoofing and using look alike domains and ascending from those to try to just gain that level of legitimacy. Again, there’s a lot of tools that can deal with those things to really kind of identify that type of behavior, identify domains that look very similar, sending to one another that maybe shouldn’t be saved with like external labeling on email. So, you can actually properly identify it at that header level. But that was kind of some of the lighter weight, the less sexy ways of doing this kind of business email compromise first step…

Brian: And those are basically like essentially trying to hook you into responding to the email or using a link within that email to just steal your credentials.

Ryan: Well, it would be something like let’s say I wanted to get you to respond to something instead of sending you from Ryan at Fearless Paranoia I send to you from Ryan at Fearless Paranoia or Fearless Paranoia or whatever…

Brian: Or some other way I mispronounce the title of this podcast.

Ryan: quick swipe other letters that people don’t catch, or maybe using a one in place of a lowercase L somewhere to try and mock that are very common ways of trying to typo squat or use lookalike domains to try and you know, act as a legitimate user to get past the human filter of recognizing that something’s wrong because obviously, if I say, Hey, I’m Ryan from Fearless Paranoia, but I come in from Bob dot Johnson dot, I’m a hacker at google or@gmail.com. I’m like, okay, this property is, you know, something I should probably just respond to without some further scrutiny. But then you get into the compromised accounts, where now it becomes a much more legitimate space and a much more valid deliverable that you’re offering, you’re talking about a compromised account.

Brian: And this is something I want to talk about in greater detail later. This is essentially once a compromise has occurred.

Ryan: using that compromise to compromise other accounts, well, using it for a variety of different tactics. But yes, in one case, if that account itself has access to all the things that you could ever want, then your compromise is done, all you need to do at that point is look for all of the treasures that you’ve just opened yourself up to, in most cases, the people that hold the keys to all of the things that most people really want don’t tend to be the easiest ones to compromise either. Because a lot of times they’ve gone through the extra training, they understand the severity of the importance behind the keys that they hold. And so a lot of times the pivot goes through the personnel towards the ultimate key holder or the ultimate target. And so again, it may start and again, I’m gonna probably offend a couple people, hopefully not too badly here. But like, you’d have to start with a lot more of the operational people that deal with a lot larger volume of email and or a lot less scrutinizing of the emails they get. These are going to be sales teams, HR teams, tech support teams, and operational teams, marketing teams, people that get a lot of that typical engagement and potentially deal with hundreds of emails a day are very easy targets to go to, because a lot of times they’re not looking for legitimacy. And they’re not assuming paranoia. And assuming that somebody is effectively going after them. They’re assuming that people are engaging with them, which is part of their everyday job, right. So by being able to get them as an early point of compromise, you’ve now worked your way into a person that probably has broad trust throughout an organization because they’re usually very engaging. They’re very interactive with a lot of other people. So now you use them as a point of compromise and use them as a point of compromising others.

You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats. Check out the resilient cybersecurity and data privacy blog. If you’re enjoying this podcast, please like it subscribe using any of your favorite podcast platforms. Also, please share this podcast with anyone you think would find it helpful or useful. We rely on listeners like you to help get the word out about the show. And we appreciate the support now time for some more cybersecurity.

Brian: Well, in the way you know that too, is once you get access to email, and this kind of talks a lot about what I want to talk about next is what happens what kind of access do you get when you get someone’s credentials and log into let’s just go ahead and use you know, Outlook 365, and office 365. Because it’s what 80 to 85% of the business market right now. And it’s where most of these breaches occur. Because if you’re a hacker why learn two different email systems if you only know one, so you know, someone hacks your windows 365 account by getting your credentials, they log in, they see your emails, so they know how chatty you are on email. They know how you converse on email; they know with whom you converse, and it’s oftentimes probably not that far of a stretch from getting into one chatty employees email account to being able to build unofficial and maybe even unconfirmed but build a business hierarchy model based on the information you find in that account.

Ryan: Sure, I think it’s very reasonable to assume that a lot of users in the business world first of all tend to be very overprivileged. And I’m saying that from like a system standpoint, from an access privilege standpoint, tend to have access to a lot of very general systems. So that makes every account in a business that can be compromised, equally valuable, right from the onset, they’re going to have access to a ton of information, there was a recent hack of Atlassian, who holds the JIRA Confluence and a lot of other major sport tools. And one of the things that was hacked, there was their tool through envoy, which is a third party that does facilities management software. So, used to do stuff like rent hotel and cubes and things like that, and office building or show you like a map of who sits in what offices somewhere inside of a building, whatever it is, you think that critical information, right? Like, who cares, it’s probably pretty easy to get an employee list of who cares what office they sit in. But that information could have a lot of potential uses do especially if somebody is interested in doing like a physical security breach? Well, if I wanted to get hold of someone’s access, if I found out a company say switch to like hardware tokens for their access, well, that makes those accounts a lot harder to get a hold of, if I can find out how to get into their building and get a hold of someone’s hardware token on now you’ve got another interesting point, again, that gets business email compromise.

Brian: The other thing that does, you want to build an org chart, find out what employees work where who is more likely to have access and authority to access certain information. The bottom line is if you know, for people who sit in an open office space next to one person who sits in a closed office, you know that those four people likely work for that one person in support role in some way, shape, or form. So now you’ve narrowed it down. And let’s say you know that that person has an executive assistant who has all the keys to the kingdom, well, it’s probably going to be one of those four people. So you’ve now narrowed down if you want that executives access and information, you’ve now identified the four people who are your main targets, just by knowing where they sit.

Ryan: Exactly to the same point as discovery, if you’re looking to get a wire transfer, you’re not looking to contact a CFO. And to get approval for a wire transfer. It’s very rare that they get involved directly with those operational activities. Anyways, other than sending out a request, you want to find the person who’s got the finger on the keyboard, that’s actually making those transfers happen. And ideally, you’d like to have their CFOs account be the one that you’ve got compromised so that you can issue the order from somebody who absolutely has the authority to make that happen, won’t get questioned by the person that works for them, and who by the time you guys go through and actually run down everything to realize what happened and try to remediate it, it’s probably far past the point of being able to recover anything that didn’t get stuck by some procedure summer.

Brian: So, we’ve talked about wire transfer fraud, the beginning, obviously, being able to impersonate someone within an authority chain to request money be sent. I mean, businesses send money by wire transfer all the time. It’s easy, it’s immediate. And it’s a way to get around a lot of especially international bureaucracy about money transfers, because of the fact that banks have made it easy, and it just fits into that system. So, wire transfer is a big, big potential results of business email compromise. We also discussed briefly the whole idea of spamming contacts, you can try to compromise someone else just by spamming everyone who is in that person’s contact list what other types of fraud and hacking can come from business email compromise?

Ryan: I mean, another big one is fake Invoicing is a really, really big thing where you either load up either a purely fake invoice and then just get legitimate payment to it. And in some cases, you can even use those same fake invoices to load up a loaded PDF attachment or a loaded word doc attachment and you can use it twofold. You can try to get payment on the PDF and load malware behind it depending on how much effort you want to put into the actual campaign and how much risk of detection Do you want to pose to yourself, but fake Invoicing is a big one. We talked about impersonation at length just getting a hold of those accounts and just trying to impersonate different actors in the company. This can extend into other things besides business email compromise to any sort of that impersonation, we’ve seen the attempts to try and gain gift cards, try to get other kinds of non-tangible assets that people will transfer out ownership of, or get approval to just straight out make other purchases that are hopefully not as trackable, not as traceable. And then also the a lot of them can lead into data and financial theft with instead of just purely going for something like trying to get money transferred, or a fake invoice paid some sort of financial poll, you could have a compromise of an account lead to data exfiltration, because this user could just flat out requests, trade, secret data, PII anything of that sort, because as soon as you send it over to that account, and they use that account to retrieve it, it’s really easy to just pull that data out as well. So that can become a potential exfiltration method as well. But I would say that the biggest points would be just yet smash and grab type of attempt to gain either access to files or data. Otherwise, it’s an initial point of compromise, trying to gain further persistence further foothold somewhere else.

Brian: Well, the other thing that I’ll add from the legal perspective anyways, is you have to in your company address the types of information that gets sent by email, and also what emails get stored and get saved. The smaller the business you are, the less likely you are to have in place a policy or a system that deletes or archives emails after a year. In fact, in a lot of professional industries, ethical obligations require that you keep email correspondence for a certain amount of time. Now, if one email account of yours was compromised, you have to assume that every single email in there was read. And if you don’t know where the compromise went after that, you have to assume that every email stored in your email system was read, which means that you likely have to comply with data breach notification requirements, that is a big deal, because it doesn’t matter what you put in a contract doesn’t matter what anyone says about anything, the law of where the person whose information was stolen resides is the law that controls so if your company has information on people who live in 40 Different states, and you need to comply with 40 different data breach notification laws. So be very, very conscious of anything that compromises your email, especially as a small business, if you don’t have that tight control of the email systems, right. We don’t have a ton of time left here. But I want to get some of your thoughts on how business email compromise can be detected and what can be done to prevent the compromise or limit the damage.

Ryan: And that’s the big key that is just figuring out how to defend against this, right. There’s a whole variety of things you can do but some of the most common and some of the easiest to implement. Obviously my favorite one education, educate your users do phishing training, get them copies of what phishing emails look like bad ones, good ones, especially the good ones, and really beat this trade again to them with additional education, a lot of your users will just kind of next click through the education where they can probably relatively disinterested, but it’s still important to at least let them know.

You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info at Fearless Paranoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a full transcript as well as links to helpful resources and any research and reports discussed during the episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now back to the show.

Brian: One point I wanted to make there is that I do know that people who you know in a lot of large corporations, they get their monthly phishing test email. And most of the people that I’ve talked to about this, they know they recognize what those emails look like they don’t have a logo that’s pixelated, it’ll all be fairly constantly in the same form. Can I urge you please, if you’re going to test your employees, test them, yes. Don’t test their ability to catch the same simple mistake multiple times, test them and don’t punish them for not passing the test teach them when they don’t pass the test. So you can’t make it a punitive thing and then make it so that the test that you give them doesn’t match what the situation would look like in real life. Spear phishing emails are good now. Hey, look real. You got to test them on that?

Ryan: Yeah, 100% 100% Absolutely agree. One of my favorite fish tests that we’ve done in the past was through a system called concur, which is used for expense tracking, because every manager in an organization is going to get some sort of expense notification email at some point, if they manage staff, that’s where we saw a real big click through was mocking up one of those emails and making it look very convincing. And just things like that. It opened up a lot of eyes. And I think the next time that there was a similar email that went through it got a very low click-through rate. So, it’s really just it is getting creative and showing how good those emails are. These are not all just Nigerian prince emails anymore. This is not easy to determine. It’s not poor spelling in the emails, these are getting to be crafted by native speakers with you know, probably some sort of at least marketing touch and they look wonderful, which makes them immensely more powerful, elusive and dangerous. There are anti phishing systems that all sorts of different enterprises can deploy. They tend to be probably a little too expensive foe really small business. If you’re in in office 365, you’ve already probably got some protection through exchange online from some of the anti-phishing capabilities that they have. But there are other systems out there as well that you can put in front of your email that are specifically looking for common phishing items obscured links, links to places that don’t originate from the same domain that the email is coming from other kinds of just like major telltale signs that look suspicious, and they check against known bad lists for bad or reported destinations going through and just making sure that you segregate duties and apply least privilege to your business. Because eventually, this will happen, you will get someone that will click on something in an email and just making sure that you reduce the amount of Fallout and the amount of access that they’re able to get when they actually do penetrate that perimeter is going to be the thing that’s going to give you the ability and the time to respond to identify what happened and to remediate any other potential fallout before it spreads into something larger labeling external email is probably going to be one of the hugest helpers that most organizations can do. A lot of organizations have this in place already. But as many as I’ve contracted that in the past, I’ve seen just as many that don’t have it. And it’s a huge one for getting past some of those things we talked about earlier, like those types of squatting domains and those lookalike domains. Again, taking Fearless Paranoia and flipping a couple of letters around or replacing the L and fearless with a one can make it so that it looks very close and very legitimate. But getting that big external flag on there would help a user kind of identify Oh, no, this looks like it’s fearless. But oh, no, you know what, no, that does look a little fishy. All of a sudden, it just kind of is the one thing that helps flip that light bulb on.

Brian: And for everyone who, you know, might scoff at the notion that this is something that works, all you have to do is go look through those. You can find them online anywhere, just you know, typing into a Google search, you have that tests that are out there that show how you can read something where letters are flipped around and missing because of the science that we know of how we read, we look at the first letter and the last letter, and our brain tends to extrapolate the rest, it’s a big deal. And it’s something let’s face it every single psychological way, every single psychological trick that is out there that can help hackers they use.

Ryan: And that’s why it’s really important and why I don’t know, maybe the title, the name of the podcast comes off a little bit goofy to some people, or maybe it doesn’t make a whole lot of sense. But if you actively engage with a little piece of paranoia, and all of those internet activities that you go about on a daily basis, and you understand that there’s people out there looking to exploit that, and you keep that mindset in place. There’s nothing to stop you from being absolutely fearless and going out there and finding ways to be successful and engage and be a part of this big internet era safely. But if you don’t tie those two together, you add a whole lot of risk back into that whole endeavor. So again, add a little paranoia back into your life, it’s going to do you a lot of good and just use it as kind of a mild superpower, or at least as that double check as you go out there to make sure you’re aware of what’s going on out on the internet.

Brian: And I’m going to add to that, again, this notion that you know, for all the information need to provide businesses should be providing a lot of information to their employees, but how to get around this stuff. You may think that security training isn’t a part of your job. But the bottom line is it is daily life. Now, if you’re not operating your life with one eye towards keeping information secure, then you’re giving that information away. And whether you’re giving it to someone who is going to act poorly with it or well with it, you don’t know everyone needs to be equipped with that basic operating paradigm that we’re gonna keep an eye towards security, but you need to train your employees in a manner that is befitting of a company that trusts its employees. I can’t tell you how many times I hear about someone being punished for failing to detect a phishing email making only that person attend more tests or calling that person out in a meeting or even subjecting them to punitive measures after that makes everyone else paranoid, but it also makes sure that they are going to specifically look for the type of test emails that you’re going to get you need to use every single failed test is an opportunity to teach everybody but never at the expense of anybody. Because thestatistics on internal actors alone should really convince any business owner why you never want to make an enemy out of one of your own employees, especially when doing so just shows them how they can hurt you.

Ryan: No, you’re absolutely right. And as many things have changed over the years in the cybersecurity space, the one thing that has kind of always remained true is that security comes in layers, there will not be one single tool, one single policy, one single piece of training or one single area of your business that you can secure or put a solution in front of that is going to be the one-stop shop to fix all of your problems. Security Training is only one layer. Anti-phishing solutions is another layer, good scanning on your emails, an additional layer and then assuming that you’re going to be compromised and having good protection on the workstation, good protection on your services, protection around your identity, strong authentication, all of these different layers work together in tandem to provide that safe experience. And so, putting all of the onus on a single user for failing a phishing exam is going to prove fruitless in the end you’re going to turn off potentially, you know a good asset instead of actually fixing the problem which is broad education and broad protection. So assume that your people will get fished, they will lose in that battle and you need to be prepared for what happens at steps 234 otherwise, you’ve already failed just as much as they have.

Brian: Well, that’s all the time we have today on Fearless Paranoia. I want to thank you for tuning in. We think that the business email compromise, it’s an important thing to know it’s not one specific type of attacking to look for. It’s a broad category of vulnerabilities and ways you can be damaged, but it is probably one of the biggest things you will have to deal with. Whenever you have to deal with a breach of some kind, you will have to make sure that you look at your email because the proverbial keys to the kingdom can be found in the emails sent and received by your people. So, making sure that you have things in place that protect those keys but also provide you with a backup set in the event that somehow those keys get taken are very important. Once again, we want to ask every one of you if you enjoy this podcast please do us the favor of liking the episode on any of the podcasting platforms that you listen to on any social media pages you found us also share this podcast we rely on you we need your help to get this to as many people who can benefit from this information as possible. We hope you enjoyed hearing the stories that we’ve had on this particular issue, and we hope you come back next time.

Ryan: But again, your invoice is past due if you want to send your payment payable to a Fearless Paranoia routing, not just kidding. Avoid all of those triggers. Keep your money safe and everything and again yeah, thanks for coming in or Fearless Paranoia. I am Ryan. This is Brian and we will see you on the next episode.