With employees now an organisation’s new perimeter, savvy cybercriminals have shifted their focus to social engineering attacks such as Business Email Compromise and Email Account Compromise – with businesses facing huge financial losses as a result. Adenike Cosgrove, Director of Cybersecurity Strategy for International at Proofpoint, tells us how organisations can use technology and training in tandem to prevent these types of attacks, enabling a true people-centric security model.
Let’s talk email risks – how much of a problem are BEC and EAC attacks?
Today’s threat landscape is fundamentally characterised by social engineering. We’ve see an almost 100% shift to criminals targeting individuals, socially engineering people to do something, whether that’s click on a link, download an attachment, enable macros to install malware or just sending a simple text email, pretending to be people in positions of authority and getting people to wire money or send data directly to the criminals.
Business Email Compromise (BEC) attacks have been dubbed one of cybersecurity’s most expensive threats.
In 2019, AIG, a cyber insurance company, stated that BEC overtook ransomware in terms of cyber insurance claims across the EMEA region, while in the US, the FBI stated that between June 2016 and July 2019, there were losses of more than US$26 billion to BEC and Email Attack Compromise (EAC) attacks.
Can you talk us through what these types of attacks entail?
BEC attacks are pure social engineering – there’s nothing to sandbox, no payload to analyse, no URL to click through. Typically, it’s an email that is pure text, coming from someone that we trust, either an executive or a supplier or someone we’ve done business with before. And it’s fundamentally trying to trick someone into sending money or data.
We see five key examples of BEC attacks:
- Gift carding. In this scenario, a criminal poses as an executive or supervisor with authority requesting assistance to purchase a gift card for staff or clients. The executive asks for serial numbers so they can email them out right away and are delivered straight to the criminal.
- Payroll re-direct. Criminals pretend to be executives and send an email to the HR department requesting to change or update direct deposit information from a legitimate employee bank account to the fraudster’s account or a pre-paid card account. The future salary will be paid directly into the criminal’s bank account.
- Supplier invoicing. Here, criminals impersonate a legitimate vendor your company regularly does business with and send an invoice. They claim to have new bank details which future invoices should be paid into. But again, that money is being sent directly to the cybercriminal.
- Mergers and acquisitions. Someone typically junior in finance receives an email from the CEO or the CFO stating there is an urgent acquisition and that the money is needed immediately so the acquisition can be closed.
- Shipping re-directs. Criminals send a phishing email to somebody within the organisation claiming to be a supplier whose shipping address has changed. But instead of sending it to your business partner or your customer, this results in goods being sent directly to the criminals, only to then be sold on the Dark Web.
I think it’s important to analyse these various techniques because, when we’re looking at the solution, the technique that the criminals are using will dictate the controls that we implement to ultimately identify and block these threats.
What are the key differences between BEC and EAC attacks?
Business Email Compromise refers to a scam that targets specific people in the organisation to ultimately steal money or data, with the criminals using the technique of spoofing to pretend to be an executive or supplier.
Email Account Compromise is highly sophisticated, where the attacker uses various techniques to ultimately get legitimate access to the email accounts. They steal credentials by guessing a password or sending a phishing email that, when the employee clicks on the link, they fill in their username and password, and have ultimately sent those details directly to the criminal.
In the case of EAC, there are almost always two victims – the person whose email account got compromised and the other person who falls for the fraudulent request from the compromised email account.
What impact has the shift to remote working had on the frequency of these types of attacks?
It’s a lot harder for employees to physically check with their colleagues whether they really did send an ‘urgent’ or ‘confidential’ email and with a large proportion of the workforce working from home, or flexible working, it’s causing disruption in business process.
In addition, with the reliance on cloud systems, for example, and new ways of working, you find that people are much more likely to react, because we’re in a heightened state of emotion. People are much more likely to click and engage with a threat before following internal processes.
Proofpoint research data shows that, since March 2020, more than 7,000 CEOs or executives have been impersonated, with the average number of CEO impersonation attacks now at 102.
Since the start of the pandemic, Proofpoint has blocked half a million Business Email Compromise attacks.
Remote working and the pandemic have really increased the threat that we all face and the risk to businesses, and that’s why now is the time to pay attention to BEC and EAC attacks.
Which controls can organisations consider implementing to thwart BEC and EAC attacks?
Criminals are leveraging a number of different techniques and tactics to try to trick us so we can’t assume that there is a silver bullet or that there is one control or one technology that’s going to solve this problem because there isn’t.
As with anything in security, it’s a layered approach – having a process and then of course making sure that our people are aware of the threats that are targeting them and that they ‘verify, verify, verify’.
With BEC, one of the things that you need to focus on first of all is the technology – block as much as possible from reaching your people.
Start by authenticating email and your domain. Implement industry authentication standards like DMARC that prevent criminals from spoofing your domain. Tell your suppliers to do the same thing. By having those layers this will ultimately protect the business, its suppliers and customers.
But we also need to educate our users themselves to identify BEC attacks. Show them the real-world examples and educate them on those threats that you’ve blocked. And embed them in part of your security controls, make it easy for them to report bad emails and reward them for doing so.
How important is a layered approach for preventing these types of attacks?
We need a layered approach to not only prevent BEC attacks but to be able to detect and respond to EAC attacks. For example, if you see that someone is logging in from Venezuela at 2am when they’re normally based in London and work 9am-5pm, you need to be able to remediate that. That’s unusual behaviour, potentially a compromised account and someone that we need to investigate. So, you need CASB solutions as well, that can detect those types of attacks.
How far do technology and education align to prevent these types of attack and should CIOs and CISOs prioritise one over the other?
Now that our people are working remotely, we can’t rely solely on network firewalls, IPS solutions or the layers we’ve put in the data centre because we’ve outsourced that data centre. Our people are our new perimeter.
It’s critical to train employees and ensure they’re aware that they’re under attack and to show them the actual threats that we block that are targeting them.
But I don’t think it’s either or – it’s both working in tandem. You want to make it easy for employees to alert you by pressing a simple button in Outlook which automatically sends the email to the SOC team.
They analyse that email using technology, sandbox the email to determine whether it is bad. They send an alert back to the employee.
Then they use technology to find those emails in other employees’ inboxes and pull those out automatically. That’s people, your employees, and technology, the automation and sandboxing, working together to protect the organisation.
How can organisations instil confidence in their employees to ensure that these incidents are reported?
In the past we had a tendency to shame the individual, even with the simulated phishing attacks that we send out to raise awareness.
We can’t victim blame or shame the individual – unless of course there is repeated behaviour – we need to make them feel safe. They are ultimately victims and we need to make it easy for them to report and reward them when they do identify a bad email.
There’s also gamification that you can bring into this to make it much more interesting and engage your employees.
What advice would you give those wishing to bolster their email defences?
Fundamentally, organisations need to focus on implementing a people-centric security programme. Your people are the new perimeter, at the core of cyberdefences and they are under attack by cybercriminals.
It’s important for CISOs and CIOs, and all security professionals, to understand the business as well as the criminals do. Understand who your very attacked people are, who’s being targeted with what, who’s getting credential phishing, who’s getting malware, who’s getting those Business Email Compromise attacks and who’s credentials are compromised?
Because based on that visibility into your very attacked people you can then build a security programme that’s tailored to your business and threat profile of your users. It’s not generic at all but is highly effective because it’s based on the risks that you face.
Protect your business, protect your suppliers, protect your employees and ultimately, by doing that, you’re protecting your data as well.