Threat, Vulnerabilities and Mitigations: Business Email Compromise

Question 1

What is a BEC attack?

Answer 1

Targets typically are chief executive officers (CEOs), and human-resource (HR) and finance-department personnel. Often, the attacker poses as a business partner, vendor, or other trusted party, and sends a request for funds, bill payment, account numbers, or other sensitive data.

Here’s an article that details several BEC attacks: https://www.tessian.com/blog/business-email-compromise-bec-examples/.

Question 2

What is the common BEC attack that steals personal data like Names, Accounts numbers and Usernames?

Answer 2

As mentioned, there’s the false invoice scheme, but then also other types:

Data compromise: Often targets human-resource departments, asking for sensitive information, which they often use in follow-up BEC attacks. Data they might ask for includes:

Names

Account numbers

Private numbers

Usernames and email addresses

Schedules

Question 3

How can you exploit a company CEO to successfully accomplish BEC attack?

Answer 3

Chief Executive Office (CEO) fraud: Attackers hack or spoof a CEO’s email account, and then requests that an employee transfer money, purchase gift cards, or conduct a wire transfer.

Question 4

How can you exploit a email to successfully accomplish BEC attack?

Answer 4

Email account compromise: Attackers typically target a finance manager or accounts-receivable manager, and then send invoices to clients and/or suppliers.

Question 5

Why is using attorney information a powerful tool for BEC attack?

Answer 5

Attorney impersonation: Attackers gain access to the email account of a lawyer or law firm, and then send invoices to clients via email. Recipients often pay these, as they assume their attorney or law firm is legitimate.

Question 6

How do attackers pull off these attacks?

Answer 6

Typically do extensive research on their targets, using organizational charts, research into business partners, and looking at vendor lists.

Establish an infrastructure that includes fake web sites and registered domain names.

Gain access to a person or organization using phishing and social-engineering attacks through email, phone, and text messages.

Watch and learn: they study how, when, and where a target sends or receives money. They try to discover the pattern of their target’s money flow.

Attack, after gaining the trust of their target and exploiting their knowledge of the money flow to request a money transfer.

Question 7

How can you protect yourself against BEC?

Answer 7

Protect against BEC

There are several steps you can take to protect against BEC, including:

Using secure email systems and spam filters.

Enabling multi-factor authentication (MFA) for logins.

Conducting end-user security-awareness training.

Using authorized sender systems, including:

Sender Policy Framework (SPF).

Domain Keys Identified Mail (DKIM).

Domain-based Message Authentication, Reporting & Conformance (DMARC). - Involved encryption and certificates

Avoiding use of email-based invoice systems. - Use a SaS base email