The document discusses business email compromise (BEC) as a significant cybersecurity threat, emphasizing that financial losses stem from inadequate internal controls rather than the sophistication of attackers. It outlines the stages of a BEC attack, from initial reconnaissance to extraction of funds, and highlights strategies for mitigation, incident response, and recovery. The importance of employee training, implementing multi-factor authentication, and maintaining vigilance against phishing and spoofing tactics is also emphasized.

1. https://audit.guru
Business Email
Compromise: A
Symptom, Not a Cause
Niloufer Tamboly

2. Disclaimer
The views expressed in this presentation and during the session are my personal opinions and do not reflect the
official policy or position of my employers.
This is my effort to contribute to the profession and pay forward the many kindnesses and instances of support
and guidance that I have received in the course of my career.
#payitforward
https://audit.guru

3. Strategies for Mitigation
Niloufer Tamboly
👩💻 Work - Principal, Verizon (Cybersecurity)
🧑🏫 Lecturer Rutgers University – 401 level class
🎓 Education MBA in Security Assurance
🔖 Certifications CISSP, CPA, CISA, CFE, CIA, CDPSE, Open FAIR
🔔 Patents - Establishing An Alternate Call Path Using Short-Range Wireless
Technology
System For And Method of Generating Visual Passwords
🤝 Volunteer - Cofounder - Step Up Skill and ISC2 New Jersey Chapter
🤝 Owner – Audit Guru https://audit.guru

4. https://audit.guru

5. https://audit.guru

6. https://audit.guru

7. https://audit.guru

8. Financial losses and impact on
businesses
https://audit.guru

9. Source: FBI's Internet Crime Report 2023
BEC #7 by number of
complaints
https://audit.guru

10. Source: FBI's Internet Crime Report 2023
BEC #2 by amount of
money lost reported
($2.9 billion)
https://audit.guru

11. What is business email compromise?
https://audit.guru

12. Is it phishing?
https://audit.guru

13. Is it social engineering?
https://audit.guru

14. Is it vishing?
https://audit.guru

15. Inadequate Controls is the Core Issue
https://audit.guru

16. Incidents occur not because of the
sophistication of the attackers but due to
vulnerabilities in an organization's internal
controls and processes
https://audit.guru

17. Addressing BEC effectively requires
understanding and strengthening these
underlying weaknesses rather than merely
reacting to individual fraud attempts
https://audit.guru

18. The Financial Fraud Kill Chain (FFKC)
The Financial Fraud Kill Chain (FFKC) is a framework that describes the different stages of a financial fraud attack.
These stages typically include reconnaissance, initial compromise, account takeover, fraudulent activity, and
extraction of funds. By understanding the FFKC, organizations can better identify and mitigate the risks associated
with Business Email Compromise (BEC) attacks.
https://audit.guru
Source: FBI's Internet Crime Report 2023
Like Lockheed Martin’s Cyber Kill Chain, which is divided into seven stages: reconnaissance, weaponization,
delivery, exploitation, installation, command and control (C2), and actions on objectives.

19. Initial reconnaissance
The fraudster gathers information about the targeted organization and its employees. This can include identifying
key personnel, learning their communication patterns, and identifying potential vulnerabilities in the
organization's security. It is important for organizations to remain vigilant and implement security measures to
prevent unauthorized access to sensitive information.
https://audit.guru

20. Initial Compromise
In this stage, the fraudster gains unauthorized access to the organization's systems or accounts through various
means such as phishing, social engineering, or malware attacks. This stage is critical as it allows the fraudster to
establish a foothold and set the stage for further fraudulent activity. Organizations must prioritize strong
cybersecurity practices and regularly update their defense mechanisms to prevent initial compromise.
https://audit.guru

21. Account Takeover
Once the fraudster has access to an employee's account, they can now monitor communication lines and learn
more about the organization's business processes. This allows them to identify financial transactions that they can
target with fraudulent requests. It is important for organizations to educate their employees on the signs of an
account takeover and to implement two-factor authentication to prevent unauthorized access.
https://audit.guru

22. Fraudulent Activity, & Extraction of Funds
During the fraudulent activity stage, the fraudster begins to execute their schemes, which may involve
manipulating financial transactions or redirecting funds to their own accounts. They may also attempt to cover
their tracks by deleting or altering evidence of their activities. This stage can result in significant financial loss for
organizations if not detected and stopped in a timely manner. Therefore, it is crucial for organizations to
continuously monitor their financial systems and implement strong controls to detect and prevent fraudulent
activity.

23. Phishing and Social Engineering are threat
vectors
• Email Spoofing: Attackers spoof email addresses to appear as someone else.
• Deceptive Phishing: Lures victims to fake websites to steal personal information.
• Pretexting: Creating a fabricated scenario to obtain sensitive data from victims.
https://audit.guru

24. Impersonation and Spoofing
Impersonation involves posing as a trusted entity to deceive targets, gaining
their trust and persuading them to take action.
Spoofing, on the other hand, manipulates data to appear as if it's coming from a
trusted source, often used in email headers.
https://audit.guru

25. Tactics used in BEC
Phishing Emails
Criminals send deceptive emails to trick recipients
into revealing sensitive information.
CEO Fraud
Cybercriminals impersonate corporate executives
to request funds transfers or sensitive data from
employees.
Vendor Email Compromise
Hackers gain access to a vendor’s email and use it
to request fraudulent payments or change of
bank account information.
Email Account Compromise
Criminals gain unauthorized access to an
employee’s email account to launch fraudulent
activities.
https://audit.guru

26. Recognizing the signs of a potential BEC
attack
Phishing Emails
Be wary of unexpected
emails requesting
sensitive information.
Suspicious
Attachments
Avoid opening
attachments from
unknown or unverified
sources.
Fake Domain
Names
Double-check domain
names for subtle
misspellings or
variations.
Fake Invoices or
Payment Requests
Verify the authenticity
of requests for money
transfers or payments.
https://audit.guru

27. Warning Signs!
Urgency of Request
Different Domains
Out of Contact
Language and Grammar
Multiple Emails
Incorrect Context
Secrecy
https://audit.guru

28. Strategies for Recovery
https://audit.guru

29. Incident Response and Reporting
Procedures
Identify the Incident
Quickly recognize and verify the nature of the security breach.
Contain and Mitigate
Isolate affected systems and limit the damage from spreading.
Report to Authorities
Notify law enforcement and relevant regulatory bodies as required.
https://audit.guru

30. If money is sent by wire
transfer
https://audit.guru

31. Step 1 - Contact the bank for reversal
Step 1 - Contact the bank for reversal. It is important to act quickly and notify the bank as soon as possible if
money has been sent by wire transfer in a BEC attack. Many banks have specific procedures in place to handle
fraud cases, and they may be able to reverse the transaction if it is reported promptly. Provide them with all the
relevant details and documentation to assist with the investigation and potential recovery of funds.
https://audit.guru

32. Step 2 - File complaint with www.ic3.gov
Step 2 - File complaint with www.ic3.gov. In addition to contacting the bank, it is crucial to report the BEC attack to
the Internet Crime Complaint Center (IC3). IC3 serves as a central hub for receiving, developing, and referring
cybercrime complaints. Filing a complaint with IC3 can help law enforcement agencies in their investigations and
contribute to the overall effort of combating financial fraud. Provide them with accurate and detailed information
about the incident to assist in their efforts.
https://audit.guru

33. IC3 Recovery Asset Team
Source: FBI's Internet Crime Report 2023
https://audit.guru

34. RAT Successes
https://audit.guru

35. Strategies for Mitigation
https://audit.guru

36. How is payment typically approved?
Payment is typically approved through a multi-step
process that involves verifying the authenticity of the
request, confirming the recipient's identity, and
obtaining the necessary approvals from authorized
personnel.
Organizations may set up internal controls and
procedures to ensure that payment approvals follow
a predefined workflow, involving multiple
stakeholders who review and authorize the payment.
https://audit.guru

37. Best practices for preventing BEC
Register all similar domain names that can be used for spoofing attacks.
Implementing strict validation procedures for financial transactions.
Enforce multi-factor authentication for sensitive transactions and data access.
Regularly update and monitor email security software and protocols.
https://audit.guru

38. BEC prevention contd.
Create rules that flag and delineate emails received from unknown domains.
Monitor and/or restrict the creation of new email rules within the email server environment.
Conduct BEC drills, similar to anti-phishing exercises.
Educate employees, clients, and vendors to:
Authenticate all financial transactions through dual-factor authentication.
Confirm all payment method changes using trusted and authenticated information.
Learn the habits of those with whom they conduct financial transactions.
https://audit.guru

39. Employee Training and Awareness Programs
Cybersecurity Awareness Training
Interactive training sessions to educate employees
about online threats and best practices.
BEC / Phishing Simulation Training
Simulated BEC and phishing attacks to help employees
recognize and respond to malicious emails.
https://audit.guru

40. Implementing Email Security
Measures
• Employee Training: Regular training sessions on identifying phishing
emails and BEC tactics.
• Advanced Threat Protection: Implement advanced email security
solutions to detect and prevent sophisticated attacks.
• Real-time Monitoring: Utilize tools for real-time monitoring of email
traffic and suspicious activities.
https://audit.guru

41. Multi-factor Authentication
Multi-factor Authentication
Multi-factor authentication adds an extra layer of security by requiring the user to provide two or more
verification factors to gain access.
https://audit.guru

42. Legal and Regulatory Considerations
Compliance Adhering to industry-specific regulations and laws
regarding data protection and privacy, such as
Privacy Laws and HIPAA.
Contractual Obligations Reviewing and updating contracts to include
provisions for addressing BEC incidents and
liabilities.
Reporting Requirements Understanding the legal obligations for reporting
BEC incidents to regulatory authorities and law
enforcement.
International Jurisdiction Considerations for legal jurisdiction and
enforcement in cross-border BEC cases involving
multiple countries.
https://audit.guru

43. Collaborating with Law Enforcement
1
Information Sharing
Sharing relevant data with law enforcement agencies.
2
Joint Investigations
Coordinating efforts with law enforcement to investigate BEC
cases.
3
Legal Support
Seeking legal guidance and support from law
enforcement.
https://audit.guru

44. Conclusion and Key Takeaways
Stay Vigilant
Remain alert for unexpected requests for
sensitive information.
Verify Identities
Double-check email addresses and confirm
requests through other channels.
Implement Security Measures
Adopt multi-factor authentication and
encryption for sensitive communications.
Educate Employees
Ensure all staff are trained to recognize and
report potential BEC threats.
https://audit.guru

45. Let’s connect
https://linkedin.com/in/tamboly
https://audit.guru