You have a Business Continuity Plan. You have a Disaster Recovery Plan and a Cyber Incident Response Plan. You even have a Ransomware Incident Response Plan. But do you have a Business Email Compromise (BEC) Incident Response Plan?
BEC or Email Account Compromise (EAC) was known as the $26 billion scam in 2019. The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) tallied over $1.8 billion in adjusted losses in 2020 and noted an increase in complaints, most likely tied to the work-from-home environment as a result of the pandemic. It’s not scary like ransomware and isn’t making headlines, but BEC losses are larger than ransomware losses and in 2020 were 40% of all the losses tracked by the IC3.
The basics of the BEC scam are explained in a July 2021 SecureWorld article that interviewed Stephen Dougherty of the U.S. Secret Service. Dougherty said:
“BEC is a cyber enabled financial fraud attack, where criminal actors get into email accounts. They get information that I call contemporaneous and privileged, meaning only you know what it is, and only the person you think you’re working with would have that information. Therefore, you believe you’re having a trusted conversation. They take that contemporaneous and privileged information and weaponize it.…”
BEC is a sophisticated scam with multiple victims. The malicious actors behind these scams often do this as their day job, so they do their research; they know the names of employees, vendors, and clients. It is also worth noting that victims of other types of scams, including romance scams, may be incorporated into the BEC scam in one fashion or another. While there are many variants of the BEC scam, they typically have a few things in common, most easily illustrated through several steps of the Lockheed Martin Cyber Kill Chain model.
1. Reconnaissance – BEC actors perform reconnaissance on potential victims, compiling lists of potential targets, visiting company websites, social media, and networking websites. They are looking for contact information, relationships, and other information, such as executive travel and vacation plans, that will make the emailed requests more credible.
2. Weaponization – While most BEC attacks don’t involve malware, it isn’t completely unheard of. But for the most part, the BEC “weaponization” process is more aligned to compiling the reconnaissance to develop authentic-appearing email accounts and messages.
3. Delivery – The delivery component is often dependent on the target and the access the malicious actor has. For example, the wire fraud and invoice variants are usually directed at the financial department, the W-2 and direct deposit change request variants at the human resources (HR) department, the modified invoice variant at a supplier, and the art and real estate purchase variants at buyers. The originating email is most often from a webmail address that is designed to mimic an executive or supplier’s name and contact information but can sometimes originate from a compromised email account.
4. Exploitation and Actions on the Objective – Typically, the exploited vulnerability is a human, someone who can be tricked through social engineering rather than malware. The payouts of the scam include financial gains through wire transfers, gift cards, and cryptocurrency, as well as information for use in other activities. Below are some of the most common social engineering ruses used to trick the employee into taking action.
a. CEO Fraud variant: The malicious actor pretends to be a senior executive and contacts a member of the financial department requesting, via email, that funds be transferred to an outside account (owned by the attacker) via a wire transfer or other fund transfer mechanism. Another variant requests that a member of the HR department assist with changing the direct deposit information of the victim, resulting in the next paycheck being redirected. A more recent variant of this scheme requests the employee to purchase gift cards for a “surprise” or “award” and results in the employee sending the gift card numbers and pins to the malicious actor.
b. False Invoice variant: An email requesting the payment of an invoice will be sent to the victim. The catch is that the email will contain an updated, fraudulent account number, owned by the attacker, resulting in the payment going to the attacker instead of the supplier. This variant is frequently used with businesses and government agencies that issue invoices, as well as art dealers and during real estate transactions.
c. Account Compromise variant: An employee’s email account is compromised and used to send email requests, either in furtherance of the CEO Fraud variant or the False Invoice variant. Interestingly, this variant is often a longer-term scam, with the malicious actors waiting in the compromised system to target a particularly large transaction.
d. Data Theft variant: This variant occurs when the malicious actor requests personal or sensitive information about the company or its employees, which can then be used for further crimes. HR employees are commonly targeted during these attempts, which include the W-2 variant requesting that HR send all W-2 tax information on employees to the malicious actors.
An impacted company can face losses beyond just the financial consequences, ranging from bankruptcy for businesses or individuals, job losses, staff being placed on leave, and being held at fault for data breaches that have mandatory reporting requirements.
For example, the Account Compromise variant results in a compromise of the email server. The malicious actors often take advantage of this access to set up email forwarding and deletion rules that help further their scheme but can result in personally identifiable information (PII), protected health information (PHI), financial information, or credentials being transferred to the malicious actors. As a result, the company must now also clean up their network and deal with the legal and financial implications of the breach. In some cases, such as the False Invoice variant, the compromised account may belong to a separate entity from the one that lost the money, resulting in legal challenges.
BEC scams are known to impact organizations of every size and level, from small to extremely large businesses, governments, and nonprofits. Every state and 177 countries have reported BEC scam complaints.
The Cyber Incident Response Plan is a document that outlines the procedures and activities of responding to an incident. It details roles and responsibilities, ensuring the right people are notified, the right resources are available, and the right actions are taken in the right order even when adrenaline (and panic!) are high during the middle of a crisis. A BEC Incident Response Plan is likely going to be an appendix to the main Cyber Incident Response Plan, providing similar benefits.
Consider the following when deciding whether or not to create a BEC Incident Response Plan:
• Do you do any business via email? If yes, you are a possible target.
• Do you have more than one employee, volunteer, or staff member? If yes, you are a possible target.
• Are you responsible for financial accounts, money transfers, or sensitive information? If yes, even (and perhaps especially) if you use a vendor to assist, you are a possible target.
The BEC scam isn’t a headliner; you’re not going to see it above the fold in most newspapers, but it can be one of the most simple and damaging attacks businesses can face. Losses start at a couple hundred dollars and rapidly scale upward into the millions as the malicious actors perform reconnaissance to determine what a business can afford.
Effectively responding to a BEC scam takes some preparation that can minimize the losses and enable you to think clearly in the moment of crisis. This is one case where taking a few minutes to build out a BEC Incident Response Plan can mean the difference between losing the business or staying in business.