Business Email Compromise (BEC) scams are on the rise and have already generated actual losses totaling $2.1 billion in the past five years. Now, the FBI has issued yet another warning regarding the impersonation of a couple of popular cloud-based email services used in BEC scams.
BEC scams follow a clear pattern, with users being tricked into logging to fake cloud-based email services that copy how the real one looks and acts. The goal of the attackers is usually the same, trying to gather credentials which can then be used to connect legitimately to the real accounts.
Popular cloud-based email services are used all the time for their messaging capabilities, shared calendars, backup storage, and much more. Business Email Compromise targets users through these methods to gain access to said email services, which then allows them to trick the companies into making wire or automated clearing house transfers or simple electronic payments.
“Losses from BEC scams overall have increased every year since IC3 began tracking the scam in 2013. BEC scams have been reported in all 50 states and in 177 countries. Small and medium-size organizations, or those with limited IT resources, are most vulnerable to BEC scams because of the costs of robust cyber defense,” reads the FBI advisory.
One of the most common ways to steal email credentials is through phishing campaigns that are usually targeted to employees from specific companies. Now, with the COVID-19 epidemic putting people on lockdown and working from home, the BEC scams are likely to increase in number and taking advantage of the situation.
Since people are no longer at the office, receiving an email that seems legit, that asks users to change their password might not be all that suspicious. But that’s exactly what the criminals are looking for.
“Using the information gathered from compromised accounts, cyber criminals impersonate email communications between compromised businesses and third parties, such as vendors or customers, to request pending or future payments be redirected to fraudulent bank accounts,” the FBI also says.
While many of the cloud-based email services offer numerous layers of protection, many of these steps need to be configured manually, and some companies or user never go through all the trouble.
The FBI has a number of recommendations for end-users and IT administrators. People are advised to enable two-factor authentication, to verify all payment changes and transactions in person or via a known telephone number, and to educate the rest of the users about BEC scams and how to identify phishing emails.
As for IT administrators, the list of recommendations from the FBI is much more extensive and to the point.
- Prohibit automatic forwarding of email to external addresses.
- Add an email banner to messages coming from outside your organization.
- Prohibit legacy email protocols, such as POP, IMAP, and SMTP, that can be used to circumvent multi-factor authentication.
- Ensure changes to mailbox login and settings are logged and retained for at least 90 days.
- Enable alerts for suspicious activity, such as foreign logins.
- Enable security features that block malicious email, such as anti-phishing and anti-spoofing policies.
- Configure Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting and Conformance to prevent spoofing and validate email.
- Disable legacy account authentication.