Posts Tagged ‘Business Email Compromise’

What is a Business Email Compromise Attack?

Posted on: May 31st, 2021 by jiml | No Comments

What is a Business Email Compromise Attack?

Phishing emails have a purpose. That purpose is the get information which hackers can monetize or directly monetize their hack in the case of ransomware attacks. One of the more effective attacks is called a Business Email Compromise Attack. All managers and staff of any organization should know what this is and how to defend against it. Here is a common attack:

Hackers will send a phishing email that purports to come from one of the major email providers like Microsoft or Google. They know that if they send out a million emails, a good percentage of those targeted users will be running one of those email systems and therefore more likely to believe it is a legitimate email.  The email may state that you have unread emails in your quarantine, or that you need to reactivate your account. This is a lie. A link in the email will prompt the unsuspecting user for their email password which, when entered, is sent back to the hackers with your email address. Now the hackers have your email address and password. 

The first thing the hackers will do once they have this information is to go to www.office.com for mail.google.com and log into your account and download all of your email. They do this as quickly as possible so that they have all this information in case you or your IT staff discover the breach and change the password, locking them out. The hackers will scour your email and discern who the management is in your company, who the accounts payable people are, who sends you money, who you send invoices to and more.  They are looking for opportunities. 

The attack can go in two directions from here. If they have been locked out by now, they will use this information to spoof the email addresses of key people and as an example, send an email to the Accounts Payable person from the spoofed CFO address asking them to wire money to an account.  This is not a legitimate request obviously.  Or they may send an email to your customer asking them to send an ACH payment for fake services. Perhaps they will contact your payroll company and ask them to send a 1099 check for a contractor that doesn’t exist. The hackers will use whatever information they get from your downloaded email to craft attacks.

Notice that the people being targeted by the second email asking for payment had nothing to do with the breach.  It could have been a lower-level employee that was hacked but the Accounts Payable person is being targeted with a spoofed email that purports to be from a CFO or other C-level executive.

The other direction occurs if the hackers have not yet been locked out of the account they compromised.  In this case, once they determine their targets, they will set up email rules in the compromised person’s account that direct email from their target to them and then immediately deletes the email from the inbox. This way the hackers can have a direct conversation with their unsuspecting target without the compromised person even knowing.  Note that the hackers are sending email from a legitimate account and the target will have no way of knowing it is not legitimate.

In either case, it just takes a few moments of weakness from ANY employee to click on a link and enter their password.  The horse is out of the barn so-to-speak and there is no way to undo that act. Your business, your vendors, and your customers can expect to be targeted, sometimes for months or years into the future.

What can you do to prevent this type of attack?  There are two main deterrents. The first is user education.  Users should know to NEVER enter their password into a link in an email. It is important to have regular and repeated efforts to educate users on the risks and how they should respond to emails they are unsure of.  The second deterrent is multi-factor authentication. Having this enabled for your company email provides a second layer of protection so that in this scenario, when the hackers try to login with the stolen password, the user will receive a prompt to approve the login.  A properly trained user will notice that they did not try to login and deny the login. Note here, that an improperly trained user who just approves every prompt, will just allow the hackers in and the multi-factor authentication did nothing to stop the hackers.

Business email compromise attacks are devastating because the hackers can continue to attack for quite some time after the initial breach.  They can attack your customers and vendors which is not a good look for your organization. As Ben Franklin famously once said “An ounce of prevention is worth a pound of cure”. That is especially apt in the case of Business email compromise attacks.

Is your organization implementing the two deterrents mentioned above? Contact us today at (888) 600-4560 or via email at info@coldencompany.com to get started.