According to the FBI, business email compromises (BECs) were the most economically damaging cybercrimes of 2019, responsible for more than $1.7 billion in losses. And companies may feel a very keen sting indeed from just one BEC: In just the past six months, Toyota lost $37 million, Nikkei lost $29 million, and even a Texas school district was smacked with $2.3 million.
While some of the attacks use server or account exploits as a vector, most depend on a human being on the victim's side to open the door for the criminal to enter.
The human factor means there are multiple things to consider when it comes to defense plans. The question for many organizations is how to balance human factors and technology when figuring out how best to allocate dollars to cyber defense.
You can start by avoiding these common mistakes.
Underestimating the Challenges at the Front Line
The front line in the BEC battle is in front of the keyboard. "Staff needs to be educated against the threat of BEC scams and have practiced using a defined process to respond to suspected BEC scams and other social engineering attempts," says Richard Gold, head of security engineering at Digital Shadows.
"The employee remains the last measure of protection or the last stand against BEC attacks for many organizations when all other security measures fail," says Mark Chaplin, principal at the Information Security Forum.
And that last measure is under attack from more than just criminal organizations.
"Work deadlines, family commitments, and personal biases represent just some of the factors that can prevent an individual from applying the necessary caution before acting on a contaminated email," Chaplin explains.
The stresses he mentions, and many others, are concerning because criminals have developed considerable expertise in exploiting their victims' weaknesses.
"Criminals have become more sophisticated by considering the psychological aspects of an attack," Gold says. "This has resulted in the most skilled, qualified, and security-aware employees falling for a well-crafted, targeted attack."
That attack increasingly will use a vector that too many organizations fail to address in training.
Overlooking a Key Attack Vector
"While many organizations have implemented cybersecurity training with an emphasis on email — training users to identify phishing attacks — most efforts focus entirely on desktop email clients where users can easily check for phishing indicators," says Chris Hazelton, director of security solutions at Lookout. "It's with mobile email where this training falls short, both in focus and application." He says that most of the indicators of phishing don't really exist on mobile email clients, which tend to obscure full email addresses and limit the ability to preview hyperlinks.
These training gaps and technology weaknesses are allowing attackers to use BECs as the front end of attacks that have economic repercussions now and later.
"We're seeing the attackers gain access to the mail system and then wait. They're inside the system, and the dwell times we're seeing is a minimum of six to seven months before they actually initiate the attack," says Tom Arnold, co-founder, vice president, and head of Forensics at Payment Software Company, part of NCC Group. "They're actually mapping out what this organization looks like, and they're looking at the internal organization much the same way you or I would map networks and figure out which machines do what."
Insufficient Authentication Measures
BEC attacks can take several forms, but for many cybersecurity experts there's a single point at which many can be stopped: authenticating the user or process that tries to access network assets.
"BEC scams, similar to identity theft scams, rest on insufficient authentication of the people or organizations involved in a financial transaction. Any financial transactions that involve large sums must use strong authentication mechanisms in order to prevent losses," says Digital Shadows' Gold. For Gold, as for many others, enhanced authentication is one of the technological foundations of anti-BEC strategy.
Multifactor authentication could help companies defend against the very carefully crafted attacks that many criminals use as springboards to comprehensive campaigns.
"The majority of the attacks we've seen have been attacks to try to obtain credentials, and once they have credentials, they log in and begin masquerading as users," Arnold says. "And to a large extent, they log in and just monitor what's going on to figure out how to craft their continuing attacks."
And while multifactor authentication can add friction to every transaction in which it's employed, not every employee transaction is equally sensitive.
"Add multifactor authentication to critical and sensitive financial applications to prevent unauthorized access by criminal groups," says James McQuiggan, security awareness advocate at KnowBe4. "At a process level, add multilevel or tiered authorization requirements for various dollar amounts before allowing employees to send money."
The additional authorization with multifactor authentication, he says, can prevent a single person from approving or sending large amounts to a vendor (or criminal).
"A lot of people would sort of yawn at BECs — they're not sophisticated," says Arnold. "It's not like an APT group coming in from China or something like that. It's really not super-sophisticated, but then again, it's very, very lucrative."
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio