BEC Scams On The Increase

Tony MasonMicrosoft 365 Security, Security Awareness & Phishing

BEC Scams & CEO Fraud

During the Gartner Security & Risk Management Summit this week it was reported that 2019 projects should include Incident Response, BEC Scams and Container Security.

This was swiftly followed by the news that a European subsidiary of Toyota lost more than £30 million following a business email compromise (BEC) scam. 

BEC or CEO Fraud is a scam in which cyber criminals spoof company email accounts and impersonate executives. They try and fool an employee in accounting or HR into sending money or giving out confidential tax information. With Toyota, it’s almost inconceivable to imagine how so much money can have been involved from one company. Sadly BEC fraud is worth billions and has now overtaken ransomware and data breaches in EMEA cyber insurance claims.

The size of the Toyota scam is alarming in itself. However the consequences will be huge. Others will see how lucrative this type of scam can be. Cyber criminals will be increasing their BEC campaigns and new actors will be attracted into this lucrative field.

Staff Training & Processes

As a result, it’s becoming ever more important that organisations apply security measures to their business practices. They must train staff to ensure they get third party approval for any financial transactions. In addition, new payment procedures must be introduced into the company where several people sign off on a financial transaction.

Unfortunately, junior staff are in a position where they trust their managers and do as they are instructed. Processes must be put in place where staff can question the requests from colleagues, managers or even suppliers and in fact must question them.

Despite a multi-layered cyber security system, IT security tools are not infallible against human behaviour.  Staff must be trained to be aware of the potential attacks.  These can come in various forms; phone, email, or even social media and the attackers will find the weakness in any business.

Javvad Malik, security awareness advocate at KnowBe4 advises that BEC is fundamentally based on socially engineering the victim into making the money transfer.

“The first step should be raising awareness amongst staff of these attacks. In particular focus on those who work in finance or have the ability to set up new payments or amend existing ones.”

“Secondly, and perhaps more importantly, procedures need to be in place which prevent one user from being able to authorise or create a new payment. Rather, segregation of duties should be put in place whereby more than one user approval is needed to initiate payment. In addition, established and trusted mechanisms are required through which any requests can be queried.”

AI & DMARC

Other measures can also be put in place.  Barracuda, who offer Sentinel advise taking advantage of artificial intelligence. Look for AI that deploys technology that doesn’t simply rely on looking for malicious links or attachments, as attackers are increasingly bypassing these tactics. They also recommend implementing DMARC authentication and reporting into your organisation.  This can help stop domain spoofing and brand hijacking. Plus they suggest utilising multi-factor authentication in your organisation.  Passwords alone are no longer enough to keep cyber-attackers out.

Defensive measures against BEC scams

IC3 provides the following guidelines for employees containing both reactive measures and preventative strategies:

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or PII in response to any emails.
  • Monitor their personal financial accounts on a regular basis for irregularities, such as missing deposits.
  • Keep all software patches on and all systems updated.
  • Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders’ address email address appears to match who it is coming from.
  • Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.

BEC Fraud is on the increase because these highly lucrative attacks are succeeding and they will continue to attract more groups willing to attempt their methods. 

To add to this, KnowBe4 report that your email filters have a 10% failure rate.

Therefore you need a strong human firewall as your last line of defence.

KnowBe4 Recommend Eight Prevention Steps

Many steps must dovetail closely together as part of an effective prevention program:

  • Identify your high-risk users
  • Institute technical controls
  • Set a security policy
  • Develop standard procedures
  • Cyber-risk planning
  • Training for all users
  • Continuous simulated phishing
  • Stay aware of red flags

For more information see KnowBe4 Security Awareness Training