Business Email Compromise (BEC) attacks may not be as frequently encountered as phishing attacks but the losses to this type of attack are far greater. According to figures from the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3), $2.9 billion was lost last year to BEC attacks – The second most expensive type of cybercrime.
BEC attacks usually involve impersonation, with the attacker posing as a trusted individual. Contact is established and the scammer tricks the victim into divulging sensitive company information or transferring a large sum of money. For instance, the scammer may pose as a contractor and request that bank details are changed for an upcoming payment. The scam is not usually detected until after the transfer has been made and the funds have been withdrawn from the attacker-controlled account.
BEC attacks can be difficult for email security solutions to identify, as the emails are often sent from a known and trusted email account that has been compromised in a phishing attack. BEC scammers research their targets and may have access to past conversations between the victim and the person they are impersonating and can therefore disclose information from past conversations in email exchanges to convince the target that they are who they claim they are. The scams may also be spread across multiple emails, with trust building during the exchanges.
One of the latest BEC campaigns to be identified involves the impersonation of U.S. government entities, such as the U.S. Department of Transportation, Department of Agriculture, and Small Business Association. Initial contact is made via email and a PDF attachment is sent that includes a QR code, which has links about fake bidding processes. The targeted individual is told to use the QR code to find out more information about the bidding process.
The PDF file explains that the QR code is included as complaints have been received that the bid button in the email does not work with some browsers and that the QR code will direct them to a document that should be downloaded as it is required to submit a bid. The emails and the PDF are crafted to appear to have been sent by the spoofed organization, and the website to which the user is directed resembles the official portal used by the spoofed government agency.
If the QR code is scanned, the user will be directed to a phishing site where they will be required to enter their Office 365 credentials, which will provide the attacker with access to their email account. Once access has been gained, the scammers can proceed to the next phase of the attack. They search the email account for messages related to banking or finance and use that information for their BEC attack and send messages to contacts that include fraudulent invoices or payment requests. The emails are sent from a trusted account, so the emails will likely be delivered and there is a good chance that the attack will be successful.
Security awareness training can help to raise awareness of the threat of these attacks with individuals involved in financial transactions in a company, and policies should be in place that require any requested change to banking information to be verified by phone using a previously verified phone number. It is also important to have an email security solution in place to block or flag potential BEC messages.
TitanHQ’s PhishTitan is an ideal choice. PhishTitan can identify and flag sophisticated phishing and BEC emails and can also read and follow the URLs encoded in QR codes. When a suspicious email is detected a banner is added to warn the user, and the emails can be auto-remediated and sent to the junk folder. PhishTitan improves Microsoft’s Office 365 spam filter. Independent tests by Virus Bulletin show the engine that powers T
itanHQ’s SpamTitan spam filter for Office 365 and the PhishTitan 0365 anti-phishing solution has a phishing catch rate of 99.914% with zero false positives. For every 80,000 emails received, PhishTitan identifies and blocks 20 unique, sophisticated phishing attempts that Microsoft’s top anti-phishing solution misses. The solution is also just a fraction of the cost of the average loss to a single BEC attack.
For more information about PhishTitan and how it can protect your business from advanced phishing and BEC attacks, give the TitanHQ team a call.