Business Email Compromise
12 minute read | Last updated 26-Aug-2019 | 
Cybercrime, Culture Change
Mornings With Mark no. 0197
Watch the episode on YouTube
Join the discussion on LinkedIn
Share on Twitter
Bad Robot Transcript
Morning, everybody. How you doing today on this episode of the show. We’re going to talk about how much money businesses are losing via email. So there’s a few reports here in Canada over the last couple weeks about emails targeting businesses designed to commit fraud to get money out of these businesses.
There was one in Saskatoon where they lost over $1000000 had there was a recent warning sent out by the OPP here and Ontario saying that these types of scams are on the rise and while it’s talked about in terms of email fraud as a scam what these articles are all describing with these warnings are all describing is called business email compromise and it’s a social engineering attack in this case.
The cybercriminals are using their wordsmithing skills to send emails that appear to be coming from Executives within companies most often in order to convince people to send money to the wrong account. So they’re trying to impersonate people to fraudulently. Hijack legitimate business processes. Now we see this scam in a few.
Variations and sometimes it’s CEO fraud or sea level fraud and sometimes if there is a account fraud there’s lawyer impersonation is a few other variants on this but all of them are the same at the end of the day, they are purely social and which is great. They’re not trying to take advantage of a hole in your cyber security posture.
But the challenge there is that that means that the defense is almost purely social there’s some technology out there which is wonderful that can help identify legitimate emails not from a span perspective, but from a Content perspective. I’m running it through machine learning models to know that I know this is my writing style and if somebody’s not using my writing style, it’s not me.
That’s great. But primarily as a defense here is human process in human education is one of the properties of cybercriminal will do a whole bunch of research and figure out a key people’s names within the organization really simple with LinkedIn and some Googling around the company’s domain name and then they’re going to basically go through a Pitch something along the lines of you don’t hey, it’s Joe from vendor XYZ.
I was talking to your CEO or CFO about an outstanding invoice. I assumed it must have gotten lost. It’s really urgent that get paid today. It’ll can you then send it to this updated account information right or the flip side of that where they will pretend to be the CEO and email you and say hey, it’s mr.
CEO or mr. CFO. This is absolutely Priority One urgent. I need this done immediately. The Joe’s whatever vendor on needs to be paid we’re behind on it. I don’t care why just needs to go live up to their account number send, you know x amount of money spent, you know, $100,000 to this account immediately and a lot of the time in actually works never seems kind of crazy, but think about in a large organization.
It’s not uncommon for there to be urgencies and sort of out of process things that need to happen for legitimate business reasons. Especially when it’s coming from up top someone lower down on the eye in the chain that sort of the secret here for the cybercriminals to figure out where down on the change of somebody have authority but it’s still sore Panic Enough by the the higher-ups at putting pressure on them to circumvent their normal process because normally in most organizations is a process for sending out money businesses are in business to make money.
So they normally don’t just send it out willy-nilly but this social engineering attack is using things like name-dropping pressure, you know that there’s an error somewhere that you’re making up four and you know, they put on that social acadis needs to get done right now. So you go outside of that normal processing again.
This is something that happens totally legitimately. So it’s not necessarily raising a lot of questions. So how do you defend against this because it seems like it’s just normal business pooping right besides using some technology like machine learning to make sure that if you’re getting an email for me, it’s actually me who is writing it you can make sure that for exceptional processes things that What side of the normal process of business that you Institute just some basic safety checks know it sounds weird.
You’ve already broken a process while you adding a new process in will the goal of going outside of the processes that make stuff happen quick. So the defense has to be fast in this defense is very very fast. If you get an email from anybody within the organization that’s requesting money be sent out of processed quickly pick up the phone and call get them on the phone.
Listen to their voice and get it authorized. If you have to get a text message from that person that you initiate to the known number now, I know text can be compromised but in missionary because it’s purely social engineering it’s a low likelihood that the cybercriminals have also compromised that person’s mobile phone as possible.
But it’s a little likelihood you can’t get them on the phone to talk about it. Then you can send them a text. I’m or some other basic thing like walk down the hallway and knock on the door and say hey I need to do this. Can you verify that? This is actually what? You want is the goal here is that you want to prevent the social engineering attack? We also want to make sure that business in the normal course is getting done in there can be circumstances.
Where are going out of processes of totally legitimate for the business turn to tell but it is a scam that took in over a billion dollars last year in the u.s. Alone. It’s highly effective and it works because it preys on a whole bunch of concerns and pressure and stress that exist in every workplace.
So remember criminals are making over billion dollars a year with a simple social engineering scam. It’s worth an extra phone call to make sure you don’t get caught keep on your toes. I’ll put some links in the description so that you can read up on this and there’s been a lot of great I research a from my main employer Trend Micro around business email compromise, you know, we’ve been monitoring for last few years.
It’s definitely something to be aware of and it’s great because it’s you can provide some education as a security minded professional as a security professional to your Executives to your Finance teams at with really simple steps. To help prevent this so that cybercriminals won’t be making a billion plus out of this every year, which is insane, but it’s the nature of business in the Modern Age.
Let me know what you think. Hit me up online at market and below zero on the blogs in the comments down below nose Always by email me at Mark and I hope your setup for fantastic day and we’ll see on the next episode of the show. Morning, everybody. How you doing today on this episode of the show.
We’re going to talk about how much money businesses are losing via email. So there’s a few reports here in Canada over the last couple weeks about emails targeting businesses designed to commit fraud to get money out of these businesses. There was one in Saskatoon where they lost over $1000000 had there was a recent warning sent out by the OPP here and Ontario saying that these types of scams are on the rise and while it’s talked about in terms of email fraud as a scam what these articles are all describing with these warnings are all describing is called business email compromise and it’s a social engineering attack in this case.
The cybercriminals are using their wordsmithing skills to send emails that appear to be coming from Executives within companies most often in order to convince people to send money to the wrong account. So they’re trying to impersonate people to fraudulently. Hijack legitimate business processes. Now we see this scam in a few.
Variations and sometimes it’s CEO fraud or sea level fraud and sometimes if there is a account fraud there’s lawyer impersonation is a few other variants on this but all of them are the same at the end of the day, they are purely social and which is great. They’re not trying to take advantage of a hole in your cyber security posture.
But the challenge there is that that means that the defense is almost purely social there’s some technology out there which is wonderful that can help identify legitimate emails not from a span perspective, but from a Content perspective. I’m running it through machine learning models to know that I know this is my writing style and if somebody’s not using my writing style, it’s not me.
That’s great. But primarily as a defense here is human process in human education is one of the properties of cybercriminal will do a whole bunch of research and figure out a key people’s names within the organization really simple with LinkedIn and some Googling around the company’s domain name and then they’re going to basically go through a Pitch something along the lines of you don’t hey, it’s Joe from vendor XYZ.
I was talking to your CEO or CFO about an outstanding invoice. I assumed it must have gotten lost. It’s really urgent that get paid today. It’ll can you then send it to this updated account information right or the flip side of that where they will pretend to be the CEO and email you and say hey, it’s mr.
CEO or mr. CFO. This is absolutely Priority One urgent. I need this done immediately. The Joe’s whatever vendor on needs to be paid we’re behind on it. I don’t care why just needs to go live up to their account number send, you know x amount of money spent, you know, $100,000 to this account immediately and a lot of the time in actually works never seems kind of crazy, but think about in a large organization.
It’s not uncommon for there to be urgencies and sort of out of process things that need to happen for legitimate business reasons. Especially when it’s coming from up top someone lower down on the eye in the chain that sort of the secret here for the cybercriminals to figure out where down on the change of somebody have authority but it’s still sore Panic Enough by the the higher-ups at putting pressure on them to circumvent their normal process because normally in most organizations is a process for sending out money businesses are in business to make money.
So they normally don’t just send it out willy-nilly but this social engineering attack is using things like name-dropping pressure, you know that there’s an error somewhere that you’re making up four and you know, they put on that social acadis needs to get done right now. So you go outside of that normal processing again.
This is something that happens totally legitimately. So it’s not necessarily raising a lot of questions. So how do you defend against this because it seems like it’s just normal business pooping right besides using some technology like machine learning to make sure that if you’re getting an email for me, it’s actually me who is writing it you can make sure that for exceptional processes things that What side of the normal process of business that you Institute just some basic safety checks know it sounds weird.
You’ve already broken a process while you adding a new process in will the goal of going outside of the processes that make stuff happen quick. So the defense has to be fast in this defense is very very fast. If you get an email from anybody within the organization that’s requesting money be sent out of processed quickly pick up the phone and call get them on the phone.
Listen to their voice and get it authorized. If you have to get a text message from that person that you initiate to the known number now, I know text can be compromised but in missionary because it’s purely social engineering it’s a low likelihood that the cybercriminals have also compromised that person’s mobile phone as possible.
But it’s a little likelihood you can’t get them on the phone to talk about it. Then you can send them a text. I’m or some other basic thing like walk down the hallway and knock on the door and say hey I need to do this. Can you verify that? This is actually what? You want is the goal here is that you want to prevent the social engineering attack? We also want to make sure that business in the normal course is getting done in there can be circumstances.
Where are going out of processes of totally legitimate for the business turn to tell but it is a scam that took in over a billion dollars last year in the u.s. Alone. It’s highly effective and it works because it preys on a whole bunch of concerns and pressure and stress that exist in every workplace.
So remember criminals are making over billion dollars a year with a simple social engineering scam. It’s worth an extra phone call to make sure you don’t get caught keep on your toes. I’ll put some links in the description so that you can read up on this and there’s been a lot of great I research a from my main employer Trend Micro around business email compromise, you know, we’ve been monitoring for last few years.
It’s definitely something to be aware of and it’s great because it’s you can provide some education as a security minded professional as a security professional to your Executives to your Finance teams at with really simple steps. To help prevent this so that cybercriminals won’t be making a billion plus out of this every year, which is insane, but it’s the nature of business in the Modern Age.
Let me know what you think. Hit me up online at market and below zero on the blogs in the comments down below nose Always by email me at Mark and I hope your setup for fantastic day and we’ll see on the next episode of the show.
