ngCERT SECURITY TIPS TO MITIGATE THE RISKS OF BUSINESS EMAIL COMPROMISE ATTACKS

Introduction In an era of increasingly business email compromise (BEC) attacks, cyber thieves are posing as company employees or vendors to commit wire transfer fraud. The scam exposes firms of all sizes to heavy financial risks and losses. BEC is on the rise and it’s often difficult to prevent because it’s so targeted. It is a criminal phenomenon with potentially severe consequences. More likely, these types of attacks will continue to rise, both in frequency and losses to the companies that fall victim. What is Business email compromise? BEC is a phishing scheme in which an attacker impersonates a high level executive and attempts to trick an employee or customer into transferring money or sensitive data. This crime is particularly stealthy because it employs social engineering techniques to manipulate users. To this regards, the following controls would help to mitigate the risks of BEC attacks if implemented: Be aware of common BEC attack scenarios Criminals often rely on certain tactics to perpetrate BEC scams, some of which are: False sense of urgency. Scammers (typically posing as attorneys or executives) send spoof emails to victims and convince them to wire money in support of a business deal, such as an acquisition that the victim's company is undergoing. These emails feign urgency and demand secrecy from the victim. A trick domain name. In this scenario, victims receive an email asking them to wire money to a specific account. The message originates from a domain that looks credible at first glance, but in fact, has been slightly altered (e.g., one character in the domain name is different). These types of attacks exploit the victims' lack of attention to sender’s details. Impersonation of a vendor. This type of cyberattack involves electronic communications impersonating one of the company's vendors. The sender's domain name is genuine, and the transaction seems legitimate often with proper documentation attached because the scammer has hacked into the vendor's email account. However, the processing details direct payment to an account that the scammer controls. Train employees to recognize BEC attacks A fundamental step in safeguarding organizations against BEC is to provide employees with adequate cybersecurity training. Employees should know the risk and implications of these attacks as well as how to respond to an incident. A firm understanding of cybersecurity leading practices can foster a sense of responsibility throughout the organization. BEC succeeds not so much because of its technological sophistication, but for its exploitation of human vulnerabilities including our response to authority. Clear communication of roles and expectations, along with guidance in the appropriate use of IT and accounting controls, can empower employees as the front line of risk mitigation. Create a culture of compliance Training alone isn't enough to prevent BEC. Scams are constantly evolving and for this reason, training and compliance go hand in hand. BEC attacks ordinarily target mid-level personnel who seldom communicate with the executives, attorneys, or vendors allegedly behind a transaction request. As a result, employees may not be comfortable with personally approaching the requestor to authenticate the transaction. An effective compliance culture supports employees with the protocol they need to follow up with confidence. Build a layered defence with technical controls For all its psychological manipulation, BEC is not necessarily sophisticated from a technical standpoint. Most BEC attacks originate from spear phishing or spoofing an internal email account. They can be prevented or detected via IT controls such as application-based multi-factor authentication (MFA) and virtual private networks (VPNs). Another effective anti-BEC approach is to use encryption to authenticate emails and allow users to safely exchange data. Encryption software translates the data into the code for transmitting over a network. The transmission is unintelligible without a 'public key' to decrypt the data. Optimize accounting systems and controls Now that most corporate financial transactions are digital, financial crime from cyber fraud is expected to reach epidemic levels. By mapping the existing workflow for wire transfers, organizations can analyse their processes to identify potential weaknesses and enhancement opportunities. An example of an enhancement opportunity is the enforcement of limits on the amount of money each executive can approve. Another is the implementation of authorization of wire transfers, including a protocol for approvals when senior executives are the initiators of these transactions.