Recently we have seen a rise in the quantity and complexity of email impersonation attacks. This article will review the Business Email Compromise (BEC) attack and the steps you can take to protect your business.
What is business email compromise?
A business email compromise is when a hacker or a malicious actor gains access to an email that belongs to an employee. After the email is compromised, the hacker can monitor all email communications, send emails, and delete emails (in many cases without the victim’s knowledge).
How is business email compromised?
Business email compromise can occur for a variety of reasons. Here are the most common.
- The employee used an email password that was simple to guess. A brute force attack is used to guess the password by the hacker.
- An employee used the same password they use for company email on a 3rd party website. The 3rd party website was compromised, and the password is sold on the dark web.
- The employee is a victim of a phishing attack. A Phishing attack is where the employee receives a fake email to trick them into providing the user name and password.
- The employee logs in to email over a compromised network, and a hacker records the credentials.
business email compromise examples (cousin domain attack)
Your company has been doing business with a vendor you trust. Vendor name is Companyllc.com. You just purchased a large order, and it’s time to pay the bill. Your finance department receives an email from Companylc.com (notice the missing letter) letting them know that billing information has changed. The email looks identical to your recent communications. Billing information is updated.
A few days later, you receive an email from Companyllc.com asking for payment. They are claiming the payment was never received, and they never changed any billing information.
You and your vendor have just been the victim of BEC – Cousin domain attack.
How the BEC cousin domain exploit occurs:
At some point in time, hackers obtain access to an email account that belongs to you, your vendor, or any 3rd party that may be CC’d on the invoice. The hacker logs in to the compromised email, monitors all communications and quietly waits.
When a potential large invoice is due, the hacker registers a very similar domain to the one that is expecting the payment. With the new domain, the hacker proceeds to impersonate the vendor and request a payment method change. Because the name of the hacker’s domain is very similar to your vendor, the change can be challenging to notice.
Important: With a cousin domain attack, your business may not be the one that is compromised, but you can still be the victim because a vendor or a 3rd party is compromised.
Why hackers compromise business email:
The typical intention of the attacker is tricking their victims into:
- paying fake invoices, or authorizing fake money transfers to defraud your business;
- stealing sensitive data related to your business or your clients;
- clicking on hyperlinks to take over the victims computer and/or steal user credentials to facilitate fraud in what is called a BEC (Business Email Compromise) attack;
- opening a file attachment to install ransomware on the victim’s computer to encrypt all files on the victim’s internal network and hold them for a ransom.
How does business email compromise lead to ransomware
After the hacker has access to employee email, they can see all the information, details, and communication style for everyone with who the victim corresponds. The hacker can craft an email that matches the style, design, and information of someone who the victim respects or sees as an authority. With authority and trust, the hacker can trick the victim into installing remote access and ransomware on the network.
Can a business email compromise be detected after the fact?
Depending on the type of email system the business uses will determine what logs are available for post-compromise investigation. For example. If the victim company uses Office 365 for email, there are detailed logs that are kept on user logins, what emails were sent/received, and from where.
Steps you can take to protect your business
- Multi Factor Authentication (MFA) – Multi-factor authentication is a process that requires a 2nd form of authentication when a user tries to log in to email from a new device. By implementing multi-factor authentication, you can significantly reduce the chances of a compromise.
- Many modern email systems like office 365 support the easy and free setup of MFA.
- Employee Awareness Training – It is essential to educate all your staff on how to identify phishing/wire fraud. Consider requiring all your team to complete essential security awareness training on a scheduled basis.
- Verbal Verification – To give you an extra level of protection we recommend that billing payment change is voice verified with your vendor or client.
- Cybersecurtiy Moniotring – Modern cybersecurity monitoring solutions will detect if any of your company user accounts are compromised by monitoring login activity and the geographic location of your users.
- DarkWeb Monitoring – Monitor information available about your business on the dark web. If a password is discovered, take action to protect your business.
- Email Security Service – 3rd party security solutions can detect phishing, impersonation, and other attacks on the company email system.
If you would like to implement additional security protection for your business, please contact us for a free business consultation.