Email has moved into the center of communications. This is especially true within the business sector, seeing as The Radicati Group discovered that the average employee sends and receives 122 emails every day. This digital means of discussion is incredibly convenient and quick, but it is far from a perfect system.
A new form of cyber crime has been ravaging business and shaking confidence in email communications. Dubbed business email compromise (BEC), this malicious act involves hackers accessing a certain company email address in order to request fraudulent fund transfers.
What does BEC look like?
A BEC attack, like just about every other scam, generally starts with a lot of research. The hacker needs to know who is in charge of the money within an organization as well as the people this employee regularly communicates with over email. Once all the relevant information is gathered, the real work can begin. Actually accessing the intended email account can involve more sophisticated techniques including keylogger malware, or it can be a much simpler social engineering attack.
Although the end results are usually the same, there are different types of BEC that Trend Micro researchers have observed. The first involves a hacker using an email to pose as a supplier, asking an employee at a separate company to send money for a fraudulent invoice. If a cyber criminal doesn't think staying outside the company will work, he or she might opt to leverage the email of a worker within the organization. One example of such a case would be the opposite of the previous, where the hacker poses as an employee at an outside company for bogus invoice payments.
However, perhaps the most important BEC for the average worker to know about is CEO fraud. As the name would suggest, this is where the cyber criminal gains access to the email of an authoritative body – such as the CEO or other high-ranking official – and asks a lower employee to send a wire transfer to a fake account. People are often quick to please the higher-ups of their company, a level of loyalty cyber criminals are banking on.
Even the CIA is at risk of email compromise
The reason BEC is such a frightening concept is that it doesn't take a whole lot of technological knowledge. There are obviously more advanced techniques to access emails, but the hack of CIA Director John Brennan's AOL account shows that human error is incredibly easy to exploit.
The cyber criminal involved in this plot used a simple social engineering scheme to gain access to Brennan's email. By collecting data online about him, the hacker was able to fool Verizon into giving up personally identifiable information that would then be used to reset Brennan's AOL password.
This particular event culminated in the cyber criminal posting Social Security numbers and other information found in the account on Twitter. While this attack didn't directly involve fraudulent money transfer like a standard BEC scam, it shows just how easy it can be to gain access to a person's email. If the Director of the CIA can have his personal account compromised, who else is at risk?
What can the average administrator do to fight BEC?
Trend Micro recommends that company officials wishing to avoid BEC should begin by educating their employees. The only reason a hacker was able to gain access to Brennan's account was the fact that a Verizon employee gave the criminal the information he needed without adequately verifying who this person was. Workers need to know that hackers are willing to pose as someone else for a payday, and they need to stay vigilant to avoid a major financial catastrophe.
On a similar note, any transfer of funds that can be considered out of the ordinary – such as a change in account information from the other party – should be confirmed in a secondary mode of communication outside of email. Preferably, this would take the form of an in-person meeting about the matter, but this obviously isn't possible in all cases. A phone call to a number that is known to be correct is the next best option, as it at least allows the employee to decide if the person's voice is correct.
