Archive · · 5 min read

Business Email Compromise

Cybercriminals don't always use complicated technical attacks to get around your cybersecurity. Sometimes—probably more often than we care to admit—it's the really simple stuff that works and what's simpler than an email?

Business Email Compromise

Watch this episode on YouTube.

Reasonably Accurate 🤖🧠 Transcript

Morning everybody. How are you doing today? On this episode of the show? We're gonna talk about how much money businesses are losing via email. So there's a few reports here in Canada over the last couple of weeks about emails targeting businesses designed to commit fraud to get money out of these businesses. There was one in Saskatoon where they lost over a million dollars.

There was a recent warning sent out by the Opp here in Ontario saying that these types of scams are on the rise and while it's talked about in terms of email fraud as a scam, what these articles are all describing, what these warnings are all describing is called business email compromise. And it's a social engineering attack.

In this case, the cyber criminals are using their word smithing skills to send emails that appear to be coming from executives within companies most often in order to convince people to send money to the wrong accounts. So they're trying to impersonate people to fraudulently hijack legitimate business processes. Now we see this scam in a few different variations.

Sometimes it's CEO fraud or C level fraud. Sometimes there's account fraud, there's lawyer impersonation there's a few other variants on this, but all of them are the same at the end of the day, they are purely social, which is great. They're not trying to take advantage of a hole in your cybersecurity posture.

Um But the challenge there is that, that means that the defense is almost purely social. There's some technology out there which is wonderful that can help identify legitimate emails, not from a spam perspective, but from a content perspective, I'm running it through machine learning models to know that, you know, this is my writing style and if somebody's not using my writing style, it's not me, that's great.

But primarily the defense here is human uh process and human education because what ends up happening is the cyber criminal will do a whole bunch of research and figure out uh key people's names within the organization really simple with linkedin. Um And some Googling around uh the company's domain name.

Uh And then they're going to basically go through and pitch something along the lines of, you know, hey, it's Joe from vendor XYZ. I was talking to your CEO or your CFO about an outstanding invoice. Uh I assume it just must have gotten lost. It's really urgent that it gets paid today.

Uh You know, can you um then send it to this updated account information, right? Or the flip side of that where they will pretend to be the CEO and email you and say Hey, it's Mr Ceo or Mr CFO. This is absolutely prior to one urgent. I need this done immediately.

Um The uh Joe's whatever vendor uh needs to be paid, we're behind on it. Um I don't care why just needs to go. They've updated their account number, send, you know, X amount of money spend, you know, $100,000 to this account immediately and a lot of the time it actually works now, that seems kind of crazy.

But think about in a large organization, it's not uncommon for there to be urgencies and sort of out of process things that need to happen for legitimate business reasons, especially when it's coming from up top to someone lower down on the uh uh in the chain and sort of the secret here for the cyber criminals to figure out where down on the chain does somebody have authority but is still sort of panicked enough by the, the, the higher ups uh putting pressure on them to circumvent their normal process because normally in most organizations, there's a process for sending out money, businesses are in business to make money.

So they normally don't just send it out willy nilly. But this social engineering attack is using things like name dropping pressure. Um You know, that there's an error somewhere that you're making up for. Uh and you know, they put on that social like, hey, this needs to get done right now.

So you go outside of that normal process. And again, this is something that happens totally legitimately. So it's not necessarily raising a lot of questions. So how do you defend against this? Because it seems like it's just normal business spoofing, right. Um Well, besides using spoof technology, like machine learning to make sure that if you're getting an email from me, it's actually me who's writing it.

Um you can make sure that for exceptional processes, things that go outside of the normal process of business that you institute just some basic safety checks. Now, that sounds weird. You've already broken a process. Why you're adding a new process in. Well, the goal of going outside of the process is to make stuff happen quick.

So the defense has to be fast and this defense is very, very fast. If you get an email from anybody within the organization that's requesting uh money be sent out of process quickly, pick up the phone and call them, get them on the phone, listen to their voice and get it authorized.

Or if you have to get a text message from that person that you initiate to the known number. Now, I know text can be compromised. But in this scenario, because it's purely social engineering, it's a low likelihood that the cybercriminals have also compromised that person's mobile phone. It's possible, but it's a low likelihood.

So if you can't get them on the phone to talk about it, then you can send them a text or some other basic thing like walk down the the hallway and knock on the door and say, hey, I need to do this. Can you uh you know, can you verify that this is actually what you want?

Because the goal here is that you want to prevent the social engineering attack, but you also want to make sure that business in the normal course is getting done and there can be circumstances where going out of process is totally legitimate for the business. It's hard to tell, but it is a scam that took in over a billion dollars last year in the US alone.

It's highly effective and it works because it preys on a whole bunch of concerns and pressure and stress that exist in every workplace. So remember, criminals are making over a billion dollars a year with this simple social engineering scam. It's worth an extra phone call to make sure you don't get caught.

Keep on your toes. I'll put some links in the description so that you can read up on this. There's been a lot of great research from my main employer trend micro around business email compromise. You know, we've been monitoring it for the last few years. It's definitely something to be aware of and it's great because it's you can provide some education um as a security minded professional, as a security professional to your executives, to your finance teams.

Uh with really simple steps to help prevent this so that cyber criminals won't be making a billion plus out of this uh every year, which is insane. Uh But it's the nature of business in the modern age. Let me know what you think. Hit me up online at Mark NC A for those of you on the vlogs in the comments down below as always by email me at Mark N dot C A.

Hope you're set up for a fantastic day and we'll see you on the next episode of the show.

Read next