Email is one of many organizations’ most critical applications. Facilitating both internal and third-party communications, and full of capabilities like attachments, links, and calendaring, business email has become integral. Yet for many organizations, email also makes up the organization’s largest internet-facing computing service. With “allow all” and “disallow by exception” default inbound and outbound communications, email is also easy to infiltrate and take down. While email compromise is nothing new, the pace and complexity of attacks have drastically increased in recent years.
Criminal profiteers have capitalized on the remote and hybrid work settings many businesses have created. They have realized that email fraud can be applied in scale and be highly lucrative. Remote and hybrid working has increased many organizations’ attack surface area while, at the same time, has decreased the level of face-to-face and one-to-one communication among workers. This combination results in business email systems being desirable targets for threat actors.
From 2017 to 2021, FBI Cybercrime data recorded almost 3 million total complaints, resulting in business losses of $18.7 billion — with $6.9 billion in losses in 2021 alone — and the numbers have risen year over year for the past decade. At the top of the list of crime types and resulting losses is business email compromise (BEC) with nearly $2.4 billion in losses in 2021. While BEC has been traditionally defined as a broad term encompassing multiple forms of email attacks, such as malicious attachments or exchange exploits, the threat landscape has evolved, and businesses must take new steps to defend their environments. Strong preventative technical controls and employee awareness remain the best defenses.
The anatomy of an attack
While there are notable exceptions, the majority of BEC activity is orchestrated by criminal profiteers with the goal of leveraging fraudulent schemes to steal money. Often in the form of counterfeit vendor payments via accounts payable or other finance department fraud, these criminal profiteers typically follow the same general timeline and approach. After identifying an accounting department target and an authority (usually CEO or CFO) within a company, they will breach the authority’s email account by defeating weak authentication controls, such as passwords and multifactor authentication. The attackers then groom the target by sending phishing emails or making telephone calls to persuade the target that they are conducting a legitimate business transaction. Once the victim is convinced the transaction is genuine, wiring instructions are sent for funds to be sent to a bank account controlled by the criminal profiteer. Again, the remote and hybrid work environment expedited by the pandemic has made this scenario even easier for these threat actors. The victims generally trust that their business email correspondence is protected and secure, and the checks and balances once provided by in-office interaction have been greatly diminished.
Strengthen identity management
Even with growing awareness of the rise of cyberattacks and the potential for enormous financial loss, many organizations are not leveraging existing technology to prevent intrusion. Microsoft noted in December 2021 that just 22% of its customers using its cloud-based identity platform Azure Active Directory (AAD) had implemented strong authentication controls, such as multifactor authentication (MFA). One key technical control that is easy to implement is to strengthen authentication controls, which means enforcing MFA. MFA solutions should not include the softer “push” approvals, and organizations should enable MFA location and number matching. Additionally, legacy (older or outdated) authentication protocols for Exchange should be permanently disabled, and password expiration should be strictly enforced.
Harden payment approval processes
Implementing multiple-employee approval requirements and limiting the number of employees who are authorized to initiate and approve transactions also helps to limit the impact of a business email compromise. When the accounts payable person can no longer stick their head inside the CFO’s office to confirm an odd transaction or the CFO is on vacation (which the threat actors know about because they also have calendar access), having a multi-employee approval process is an essential control.
Harden email defenses
Modern email solutions have inherent weaknesses that need to be hardened. Businesses should understand their email flow and enforce strong technical controls, including a comprehensive review of their delegation and account permissions. Hardening of controls in business email systems can also be achieved by configuring the email platform to prohibit MX gateway bypass and username enumeration, as well as by disabling or restricting Exchange Web Services (EWS) access. Inbound email controls include rigorous filtering of attachments and URLs, as well as prohibiting macros in documents and spreadsheet files. Savvy IT departments should take heed of these recommendations and make protecting their business email systems a priority.
Prepare to operate without email
Do your disaster recovery and incident response plans have contingencies for no email service? If your email system is compromised or brought down, it’s essential to have alternative communications media standing by. Ensure cellphone numbers, landlines, and chat services are included in your incident response and business continuity plans. Consider having a secondary email service (e.g., Hotmail, Hushmail, Gmail, etc.), with accounts for key stakeholders that can be used in an emergency or security incident.
Employee awareness and training
Your employees should be instructed to watch for symptoms of an attack; every employee can function as a security officer if properly trained. Traditional employee awareness programs fall short of preparing employees to combat malicious requests as the content exchanged is highly relevant and cues can be nonexistent. Businesses should educate their employees that phishing emails are no longer easy to spot and that they should take an analytical approach to suspicious activity. A few of the activities to watch out for include missing email messages, emails with slightly incorrect details or misspellings, the creation of new email folders or email mailbox rules, unusual email addresses, or emails being forwarded outside of the organization. Out-of-band questions or comments in an email that do not make sense and unexpected MFA requests are also red flags. Employees should also watch for unusual sign-in events or unexpected employee statuses, such as if a colleague is active at unusual hours while also out of the office. There is only one sure way to find out if your organization’s employees are prepared for email attacks is to perform social engineering awareness testing. This testing should not only assess employee awareness, but also include follow-on technical attacks that reveal the full impact.
While email compromise is by far the preferred approach by criminal profiteers, there are isolated cases where fictitious vendor phone calls have been used. Employee training should also include this scenario, and employees should be instructed to verify the purpose of any suspicious call and trained not to trust the caller.
React quickly to an incident
Businesses should implement a clearly defined process for reporting suspicious incidents and dedicate resources to be on call. Remember, vigilance is key, and as with any suspected crime, “if you see something, say something” is a good rule to follow. If an incident is detected, there are critical steps that should be taken to eliminate threat persistence. For an incident assessment of the situation, you should contact the FBI’s Internet Crime Complaint Center (IC3) Recovery Asset Team (RAT). The RAT can act quickly to mitigate the situation through its access to every financial institution in the world and has achieved an impressive success rate in freezing funds and keeping them out of the hands of criminal profiteers.
Make cybersecurity part of the conversation
With the cybersecurity threat landscape worsening, businesses need to balance convenience and user and client satisfaction when implementing stronger technical email defenses and heightening employee awareness through training. Businesses should make cybersecurity part of the conversation while making sure to thank employees, customers, and business associates for inherent inconveniences when implementing information security improvements.