Business Email Compromise Attacks on the Rise in 2020

By: Lewis Brisbois' Data Privacy & Cybersecurity Team

A business email compromise (BEC) is a cyber crime that utilizes access to an organization’s email to defraud that organization and its employees, customers, or partners. BEC attacks can take a variety of forms and can be sophisticated and complex. A common example is a targeted phishing attack in which a malicious attacker conducts sufficient reconnaissance to deliver a type of email message the employee would expect to receive in the regular course of their occupation. It may request that they enter their user credentials to use an application that they would commonly use. In doing so, they unwittingly provide their user credentials to the malicious attacker. The attacker then logs on to the account, intercedes in email communication with a vendor, changes an account number on payment information, and causes payment to be transferred to the attacker’s account.  

BEC claims are one of the primary cyber insurance claims in 2020 and are consistently on the rise. The FBI has issued warnings about the rise of BEC exploits, which were responsible for over $1.77 billion in losses in 2019.

In 2020, COVID-19 has provided attackers with a new source for BEC exploits. Attackers are taking advantage of the need for communications surrounding COVID-19 and increased remote work connections from employee home networks to their employers’ corporate networks. 

According to cybersecurity firm Proofpoint Inc., COVID-19-related “phishing” attacks have been increasing daily since January. These phishing emails contain content such as advice to employers on combatting COVID-19 in the workplace, false invoices for purchases of medical and cleaning equipment, and fake alerts from health or government organizations related to COVID-19, and often appear to be from legitimate organizations. When these emails are opened, malware is released, which allows the attacker to access and potentially compromise an employer’s network security. These compromised email accounts then serve as an attack route to the employer’s larger computer network. 

In this era of COVID-19, here are some recommended steps to protect your organization against BEC attacks:

• Deploy multi-factor authentication so that even if user credentials are compromised, the account generally cannot be accessed without the second means of authentication;
• Set global policies to prevent rule changes so that, absent explicit authorization from the administrator of the email platform, users should not be able to install or change rules such as mail forwarding; 
• Deploy Domain-based Message Authentication, Reporting & Conformance (DMARC) on the domain of the organization so that emails attempting to spoof the actual domain are blocked from delivery;
• Deploy external message flagging so that users will always have notice that a message is from an external source;
• Use complex passwords of at least 12 characters or more because the longer the password, assuming some complexity, the more difficult it is to compromise;
• Limit administrative privileges to only those information technology personnel necessary to administer the email platform;
• Scan for and disable inactive accounts;
• Enable audit logging and extend log retention schedules to at least 90 days, and then archived for up to 12 months, if possible;
• Create and maintain the human firewall. It is more important than ever before to engage employees – and the endpoints to their networks – about their role in safeguarding access to company information. 

In addition to protecting the email platform, there are other measures that can be taken to mitigate economic harm. The first is to ensure you have obtained appropriate cyber insurance. In the rapidly evolving digital landscape, cyber insurance is more important than ever before. A forensics investigation of a BEC can be expensive but necessary to identify how the attack occurred, when it occurred, and who or what it may have impacted. Regarding fraudulent wire transfers, if possible, secondary authorization should be required to verify changes in vendor payment information or contact information, or to approve the transfer of funds. 

Employers and their employees are particularly vulnerable due to the novel nature of COVID-19, the speed at which it is spreading, and the constant evolution of information regarding the illness. Employers must remain vigilant and aware of their employees’ desire for information, advice, and protection against COVID-19. Defending against email account compromises should be part of every information security program, but it is especially important in the COVID-19 era.

For more information on BECs, examples, associated risks, and prevention tips and tricks, check out our previous post, “Business Email Compromises: Tips For Prevention & Response.”