2. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Brian Reid | NBConsult
• Microsoft Office Servers and
Services MVP
• Exchange Server Microsoft
Certified Master
• brian@nbconsult.co
3. “There are two kinds of big
companies, those who’ve been
hacked, and those who don’t know
they’ve been hacked.”
James Comey, “Ex” Director FBI
4. Wall Street Journal, JP Mo
White House, Yahoo, RSA
Microsoft, Google, Apple,
Facebook, Sony, Target,
Heartland ,EBay TalkTalk,
ICANN, Home Depot, Vtec
Carphone Warehouse, UP
Dropbox, LinkedIn, Repub
struggling
5. THE EVOLUTION OF ATTACKS
Volume and Impact
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2003-2004
7. THE EVOLUTION OF ATTACKS
2005-PRESENT
Organized
Crime
RANSOMWARE,
CLICK-FRAUD,
IDENTITY THEFT
Motive: Profit
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2012 - Beyond
Nation States,
Activists,
Terror Groups
BRAZEN,
COMPLEX,
PERSISTENT
Motives:
IP Theft,
Damage,
Disruption
2003-2004
8. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Business Compromise Email Attacks
• What a business compromise email attack is and what it can do
• Some numbers
• How the attacks work
• A real (and costly) example
• How to protect yourself and your company
9. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
What Is A Business Compromise Email Attack
• Cyber criminal impersonates executive (often CEO) and
attempts to get employee, customer or vendor to transfer funds
or sensitive information to the phisher
• So notice, it’s not always within one company
• And it is not always (initially) financially motivated
10. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
FBI Data on Business Compromise Email
Worldwide
• And not related to
company size
• SME and
Enterprises just as
likely to get same
phish attempts
• Enterprises tend to
have better
payment protection
in place
It is largely unknown
how victims are
selected
• The subjects
monitor and study
their selected
victims using social
engineering
techniques prior to
initiating the BEC
scam.
Victims may also first
receive “phishing” e-
mails
• Requesting
additional details
regarding the
business or
individual being
targeted (name,
travel dates, etc.).
Bank accounts used
in attack cannot be
predicted
• May have been set
up as part of
another “money
mule” fraud
• Accounts set up
and money
transferred through
them
• Innocent party
account being used
11. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Business
Compromise Email
or Whaling Attacks
• Business email compromise attacks
cost global industries over $5.3B last
year (and $3B the year before)
• “SMEs have not historically been the
target of cybercrime but in 2015
something drastically changed,”
• Toni Allen, UK head of client
propositions at the British Standards
Institute (BSI).
• According to the latest statistics
released by cyber security firm
Symantec, 1 in 2000/3000 emails in
2016 was a phishing attack and the
organization size does not impact
this
12. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Email Phishing
Rate
13. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Companies of all
sizes are prone to
BEC attacks
• Proofpoint data indicates no correlation
between the size of the company and BEC
attack volume.
• Larger companies make for attractive
targets because they have more funds to
draw on and greater organizational
complexity to hide behind, even if they tend
to have stricter financial controls.
• And while smaller companies may not yield
the same returns, the relative absence of
financial controls makes them more
vulnerable.
14. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Scary Facts
• 40,203 BEC attacks (known) in the last three years and a 2370%
increase in identified losses taking place form Jan 2015 to Dec 2016
• BEC attacks increased by 45 percent in the last three months of
2016 vs. the prior three months.
• 2/3 of all BEC attacks spoofed their email address domain so that
their fraudulent emails displayed the same domain as that of the
company targeted in the attack
• While CEO impersonation continues in BEC attacks, cybercriminals
are increasingly targeting victims deeper within organizations.
15. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
BEC In The News
• Southern Oregon University
• $1.9M paid to the “construction company” working at the University
announced this month
• The 'bogus boss' email scam costing firms millions
• Etna Industrie, France - €100,000
• http://www.bbc.com/news/business-35250678 - Jan 2016
• Manufacturing, retail and technology organizations are
generally more targeted with BEC attacks
16. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
How Do Business Compromise Email Schemes Work?
• Version 1: Bogus Invoice Scheme
• Version 2: CEO Fraud
• Version 3: Account Compromise
• Version 4: Lawyer Impersonation
• Version 5: Data Theft
17. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
BEC Video
18. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Bogus Invoice Scheme
Cybercriminal
compromises
employee email
Compromises
account is used to
send notifications
to customers
Payments are
transferred to
cybercriminal’s
account
Cybercriminal
receives money
19. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
CEO Fraud
Cybercriminal poses
as company exec
and emails finance
person
Finance sends funds
to cybercriminal’s
account
Cybercriminal
receives
money
20. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Account Compromise
Compromised
employee account
is used to request
payment
Cybercriminal
receives
money
Recipients transfer
payments to
cybercriminal’s
account
21. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Lawyer Impersonation
Cybercriminal poses
as lawyer and
emails finance
person
Finance sends to
cybercriminal’s
account
Cybercriminal
receives
money
22. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Data Theft
Cybercriminal
compromises
employee email
Compromises
account is used to
send notifications
to customers
PII is sent to
cybercriminal’s
account
Cybercriminal
receives PII, uses it
for further
compromise attacks
23. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Where Does It Happen
24. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Real (Redacted) Example Of Some BEC
25. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
How To Protect Your Company
Avoid
Avoid free “web
based” accounts
for your company
• Establish a domain
name and use it to
establish
communications
Take Care
Take care in posting
to social media
sites
• Especially job
duties/descriptions,
hierarchal
information, and out
of office details
Be Suspicious
Be suspicious of
requests for
secrecy or pressure
to take action
quickly
Consider
Consider additional
IT and financial
security
procedures,
including the
implementation of
a 2-step verification
process
26. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
How To Protect Your Company
Significant
Significant Changes:
Beware of sudden
changes in business
practices
Register
Register all company
domains that are
slightly different than
the actual company
domains
Verify
Verify changes in
vendor payment
location or details
For example adding
additional two-factor
authentication such
as having a secondary
sign-off by company
personnel
Know
Know the habits of
your customers,
including the details
of, reasons behind,
and amount of
payments
27. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Reporting Loss
Act Immediately
Notify your financial organization
when you discover the fraud
Police
Contact law enforcement in your
territory regardless of how small the
fraud is
www.ic3.com (US)
actionfraud.police.uk
28. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
End User Education
• Raise executive and then all employee awareness
• It is often human error that leads to the compromise in the first
place
• Beware of high level executive emails that are unexpected
• Get a secondary verification of the request
29. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Ensure Proper Controls Are In Place
• Verify fund transfers
• Verify changes in invoice payment details with a secondary
verification
• Use common sense
30. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Protect
• Intentionally phish your users (i.e. phishme.com) and see what
happens
• Implement DMARC (with SPF) and use a DMARC aggregator
service
• Keep your email protection service with a company that is
innovating
31. Protecting Your Users Against Email Spoofing and Phishing | Brian Reid | 10:45 21st June 2017
Follow us:
#O365ENGAGE17
Questions? | Thank You!
Brian Reid
brian@nbconsult.co
We’d like to know what you think!
Please fill out the evaluation form you
received at the registration desk for this
session
Session recordings and materials:
Materials will be available on
Office365Engage.com soon