Threat Advisory: Recent Increase in BEC Activity

Executive Summary

• SBS CyberSecurity has seen an increase in the number of clients reporting suspicious business email compromise (BEC) phishing emails masquerading as secure email portals or, in some cases, vendor portals dating back to at least March 28.
• This recent uptick in activity further confirms industry reports that in the past 12 months, more than 93% of organizations encountered one or multiple forms of BEC attacks, while 62% were targeted by three or more variants during that time period.
• The most prevalent forms of BEC attacks are fraudulent invoicing, data theft, and corporate account takeover (CATO).
• BEC is an enormous issue for companies that frequently include PII and regulated data in emails, a habit that you may not even know is occurring until you suffer this type of attack.
• Focus on the effectiveness of your mitigating controls, such as multi-factor authentication (MFA). If properly implemented, MFA can stop ransomware and BEC attacks cold at the entry point.

Who Can Be Affected?

Anyone who sends and receives email.

How Does this Threat Work?

Business email compromise is a cyberattack method whereby attackers assume the digital identity of a trusted email account through phishing and social engineering to swindle employees or customers into taking the desired action. BEC often results in victims making a payment or purchasing readily transferrable items, sharing data, or divulging confidential information in response to an email from an attacker masquerading as someone they trust.

With the increased availability of automation through advances in AI, online marketing tools, and online translators, BEC attacks can be customized to attack the intended victim and adapt with relative ease and incredible speed.

According to the FBI’s IC3 2021 Internet Crime Report, BEC scams were the cybercrime type with the highest reported total victim losses last year.

Increased Probability

Over the past week, we have seen a visible increase in the number of clients reporting targeted phishing campaigns against their employees and institutions. Often these messages are encrypted messages, appearing to use legitimate encryption methods. For a few incidents, we have confirmed through industry contacts that the suspicious emails were indeed using compromised email accounts of legitimate employees.

What Can You Do?

Mitigate the Risk

Focus on the controls that will stop the BEC attack at some point during the incident and dramatically reduce cyber risk across the enterprise for most BEC attacks currently seen today. Such controls include:

1. Multi-factor authentication is the single greatest risk-mitigating control you can implement. Hackers can’t use your employees' stolen credentials without an MFA key once it’s turned on, which only your specific employee will possess via a token, authenticator application, or code sent to their cell phone through text message or call.
   1. SBS CyberSecurity recommends deploying the most secure implementation of MFA, which leverages a “soft” token in an authenticator application with number matching controls, due to SIM swapping attacks. Number matching in MFA requires a user to enter the number the authenticator app displays into the appropriate login screen. Number matching helps to mitigate “MFA fatigue,” where users receive a push notification from an authenticator app and accept the MFA blindly, without paying attention to whether or not they should accept the MFA push notification.
   2. Have you fully implemented MFA in your enterprise? Are you using an application or text messages-based solution? Is a user required to verify the code with a number match?
       
2. DMARC, DKIM, and SPF – These three email authentication techniques prevent unauthorized parties from sending emails on behalf of a domain or website address they do not own.
   1. DKIM and SPF can be likened to a license or certification displayed on the wall of a professional service provider - to demonstrate legitimacy.
   2. DMARC instructs mail servers on how to proceed when DKIM or SPF fail, whether that is flagging the failing emails as "spam," delivering the emails nevertheless, or dropping the emails altogether.
   3. Domains that have not set up SPF, DKIM, and DMARC correctly will not only find their emails quarantined as spam or are not delivered to their intended recipients, but are also in danger of having spammers impersonate them.
   4. What email authentication techniques have you implemented? What action is taken on failed emails?
       
3. Country code blocking on firewalls and cloud resources - The good news is that country code blocking is very simple. If you don’t do business with anyone living in a certain (or any) foreign country, simply block that country’s IP address range(s) in your firewalls, cloud deployments, and web application firewall (WAF).  Your IT staff can then make specific exceptions to IP addresses where workers are traveling to or are temporarily stationed.
   1. Country code blocking will mitigate most hacking attempts from any country that has no need to access your Internet-facing applications or systems. While some threat actors may use VPNs to get around country code blocking, it is a simple and easy-to-implement control that will save you from dealing with most threat actors.
   2. Do you know which countries your organization currently blocks? Is there a business reason for not blocking foreign IP addresses?
       
4. Email sandboxing - Email sandboxing filters all HTML and dynamic content in emails and only delivers messages with content deemed “safe” by the provider. When implemented with DKIM, SPF, and DMARC technologies, email sandboxing eliminates nearly 99% of all attacker phishing capabilities.
   1. Do you regularly receive emails with actionable links? Have you deployed email sandboxing controls to mitigate the risk of your users clicking on links or attachments?
       
5. Outbound email monitoring – Monitoring outbound email traffic for unexpected increases in activity is an effective method of detecting a possible compromised email account that is transmitting a mass amount of emails. A Key Risk Indicator is a logging metric that establishes the upper and lower bounds of “normal” on our network or client-server infrastructure. To measure a Key Risk Indicator, we must first know what ”normal” looks like in our environments before we can understand “abnormal.” When any of these metrics stray from what you have determined to be ‘normal,’ you have something that may indicate a compromise and thus a potential Indicator of Compromise (IoC).
   1. What is an abnormal number of outgoing emails in your organization look like? Would a spike trigger an investigation or go unnoticed?
       
6. Implement a framework that drives security culture - The final and best control to protect your network from an incident would be to create a culture of cybersecurity and implement a corresponding cybersecurity framework. Awareness of cybersecurity threats and attacks among all employees is critical, and testing employees’ awareness with phishing campaigns is the key to making training stick.
   1. What cybersecurity framework do you use to secure your organization?

Don’t Wait Until It’s Too Late!

It's best to treat ALL emails as phishing emails. If you receive an email that seems suspicious, tries to get you to take an action urgently, or is unexpected, it is best to reach out to that person directly. Call that person, text them, or stop by in person - never respond to the email directly.

Deploying the controls listed in this article will strengthen your cyber resiliency from phishing and BEC attacks. Take it from all the clients SBS has helped with active hacking incidents and our experience; it is much more economical and cost-effective to implement these recommendations today than it will be if you suffer an incident and are faced with the business decision of implementing these controls as a response to an emergency situation in addition to notifying your customers and dealing with the fall-out. An ounce of prevention is worth far more than a pound of cure!