April 2020 – Paul Wright authour of the Article in the Arabian Reseller Online Magazine "How Can Organisations Tackle Business Email Compromise?" https://bit.ly/3eeZqdP

1. How Can Organisations Tackle Business Email Compromise?
Business Email Compromise (BEC) attacks are sophisticated cybercrimes, targeting businesses that perform
wire-transfer payments. These schemes compromise official business email accounts to carry out
fraudulent money transfers. The 2019 Internet Crime Report, published by the FBI’s Internet Crime
Complaint Center (IC3), shows that email compromise fraud impacted a total of 20,373 victims and cost
victims USD 1.298 billion over a twelve-month period – the largest financial loss due to internet crime.
Such account takeovers show no signs of decelerating in 2020, with businesses suffering compromised
credentials, fraudulent money transfers, reputational damage and data loss. Because Microsoft Office 365
(O365) is one of the most popular email platforms, it is also one of the most phished. A multisystem
platform, O365 combines email, file storage, collaboration, and productivity applications, including
OneDrive and SharePoint. Together, they represent a honeypot of confidential and sensitive data that
attackers are looking to exploit.
Making money
BEC has been hugely profitable for cybercriminals, hence they may put time and effort into this method of
attack to seek rewards. In most instances, this may be achieved through a high volume of attacks against
poorly protected businesses and/or staff who may not recognise the tell-tale signs of a BEC attack.
Therefore, those at greatest risk are businesses who feel they may not be targeted and thus discount the
possibility of attack.
With unauthorised access, cybercriminals may seek out information on the types of instructions used by a
company for money transfers, electronic payments, or vendor invoicing. They may carry out other
reconnaissance, such as monitoring mailboxes, watching the dealings between targeted individuals, and
spotting details within their communications to understand the nuances required to effectively replicate a
genuine message.
Using an employee’s email account within the organisation, a cybercriminal can circumvent security such
as the monitoring of external emails for malicious threats. The compromised mailbox can have a plentiful
supply of emails that contain confidential and sensitive data, which means greater potential for profit or
blackmail for the cybercriminal echelon.
The inner workings of a BEC attack
In the first phase, the cybercriminal sends a phishing email, often requesting the employee use the link
provided to review a document. The link takes the employee to a website similar to or associated with
Microsoft Office 365 that requests his or her credentials. Once an employee provides credentials, the
cybercriminal can start to leverage access to the account to make money.
A multi-phase attack involves taking advantage of credentials to ultimately extract money or proprietary
information from a person and/or a business. For example, the attacker might first send an O365 phishing

2. email to harvest email credentials. Then, using the targeted O365 account, they will send an email to
another targeted person within the company who has the power to execute fraudulent payments.
The email recipient has no reason to suspect that it is not the genuine person/account who sent the email
requesting a fraudulent payment. There are many variants on the multi-phase attack. Equipped with a
legitimate account, the attacker can control multiple accounts laterally within the organisation, and spear
phish external stakeholders, business partners and vendors.
Both spear phishing and phishing attacks leverage impersonation to commit fraud. The difference between
the two is that spear phishing emails imitate people, while phishing emails imitate brands. Unlike phishing,
spear phishing targets a single individual, includes no links or attachments in the email, and typically
features a request for a fraudulent payment, or direct deposit change, rather than account credentials.
How to protect against BEC
One of the best ways to avoid BEC fraud is a multi-layered approach that includes an array of checks and
controls. Two of the most significant areas to focus on are training employees and email authentication
technology. An organisation’s employees are on the front line when it comes to defending against BEC
fraud, as preventing the initial point of compromise is critical. Therefore, they should be trained to
recognise the signs of email fraud through a regular and constantly updated training programme.
Employees need to be able to identify some common ways fraudsters use emails to gain access to business
email accounts. For example, the ‘spoofing’ of an email address, which can be the display name section,
before the ‘@’ symbol, and/or the domain name, after the “@’ symbol. In addition, they need to know the
make-up of traditional phishing techniques that are used to gain initial access to an email account.
While the above can help reduce the risk of a mailbox account being compromised, there’s no preventative
system that is fully secure. Therefore, it’s important for organisations to implement security features such
as multi-factor authentication or multi-layered security solutions to ensure they are protected in case of a
BEC fraud attempt.
Paul Wright
Senior Advisor Forensic Technology
Accuracy