Organizations that use cloud-based email systems are at high risk to Business Email Compromise (BEC) attacks, according to a new announcement from the FBI. The bureau has warned employees about the email scams that begin with phishing kits designed to mimic two popular cloud-based email services to lure employees into compromising business email accounts and misdirecting funds transfers. The FBI stated that its Internet Crime Complaint Center (IC3) received complaints, between January 2014 and October 2019, claiming more than US$2.1 billion losses from BEC scams.
What is a BEC Attack?
A BEC attack is a sophisticated scam targeting an end-user or a business entity that performs electronic payments like wire transfers or automated clearing house transfers. In a BEC attack, the attackers first steal legitimate business email account credentials, which are later used to launch financial fraud campaigns like fraudulent email messages, requests for out-of-channel funds transfers, and deleted accounting trails.
“Organizations have increasingly moved from on-site email systems to cloud-based email services. Losses from BEC scams overall have increased every year since IC3 began tracking the scam in 2013. BEC scams have been reported in all 50 states and in 177 countries. Small and medium-size organizations, or those with limited IT resources, are most vulnerable to BEC scams because of the costs of robust cyber defense,” FBI said in the statement.
The FBI also issued a list of recommendations to prevent BEC attacks:
For End-Users:
- Enable multi-factor authentication for all email accounts
- Verify all payment changes and transactions in person or via a known telephone number
- Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises
For IT Administrators:
- Prohibit automatic forwarding of email to external addresses
- Add an email banner to messages coming from outside your organization
- Prohibit legacy email protocols, such as POP, IMAP, and SMTP1, which can be used to circumvent multi-factor authentication
- Ensure changes to mailbox login and settings are logged and retained for at least 90 days
- Enable alerts for suspicious activity, such as foreign logins
- Enable security features that block malicious emails, such as anti-phishing and anti-spoofing policies
- Configure Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting and Conformance to prevent spoofing and validate email
- Disable legacy account authentication
In its earlier report, “2019 Internet Crime Report”, the (IC3) revealed that hackers secured as much as US$3.5 billion from cybercrimes that were reported to the FBI in 2019. It’s said that the FBI received 467,361 complaints from individuals and businesses during the year and have had nearly five million since the year 2000. The report exposed that a total of 1,707,618 complaints with US$10.2 billion losses were reported in the last five years. It also stressed that phishing and extortion remain the popular ways used by attackers to scam people, while adding that hackers are using sophisticated techniques for their malicious activities, making it harder for security pros to detect.